U.S. places $11 million bounty on Ukrainian ransomware mastermind — Tymoshchuk allegedly stole $18 billion from large companies over 3 years

The United States has placed an $11 million bounty on Volodymyr Tymoshchuk, a Ukrainian man wanted for his involvement with a string of ransomware cybercrimes. Tymoshchuk faces severe federal charges for his part in reportedly masterminding the theft of a combined $18 billion over a three year period.

Tymoshchuk is accused of being the kingpin behind the MegaCortex, LockerGoga, and Nefilim attacks, a string of attacks that were active from Dec. 2018 to Oct. 2021. The MegaCortex attack, which we covered in 2019, changes the Windows passwords and encrypts the files of a host computer, threatening to make sensitive files public if the ransom went unpaid.

"Tymoshchuk is a serial ransomware criminal who targeted blue-chip American companies, health care institutions, and large foreign industrial firms," said U.S. Attorney Joseph Nocella Jr. in a statement from the Justice Department. One of the highest-profile thefts linked to Tymoshchuk and LockerGoga was the attack on Norsk Hydro, a renewable energy company based in Norway. The attack on Norsk caused a reported $81 million in damages as all of its 170 sites were impacted at some level.

Nocella continued, "For a time, the defendant stayed ahead of law enforcement by deploying new strains of malicious software when his old ones were decrypted. Today’s charges reflect international coordination to unmask and charge a dangerous and pervasive ransomware actor who can no longer remain anonymous."

Tymoshchuk is alleged to have run the LockerGoga and MegaCortex offensives from July 2019 and June 2020, at which point the two ransomware viruses went largely dark. From then on, Tymoshchuk is accused of having helped to engineer and administrate the Nefilim ransomware strain, selling access to it to attackers in exchange for 20% of the ransomed funds received from each successful attack.

An unsealed indictment, archived by The Register, lists a number of unnamed victim companies from across the United States and Europe. Tymoshchuk is on the hook for seven total charges relating to intentional damage to a private computer and threatening to disclose private information. If found guilty Tymoshchuk faces a maximum sentence of life in prison.

The LockerGoga/MegaCortex and Nefilim schemes seem fairly different from one another in hindsight. The tools utilized Metasploit and Cobalt Strike, penetration testing software that could be weaponized by the attackers — who then stayed under the radar on the victim networks for sometimes months before launching the attack.

MegaCortex reportedly broke containment in Nov. 2019. Originally intended for use exclusively against corporate targets, the ransomware soon spread to individual user PCs with certain vulnerabilities. Conversely, Nefilim affiliates and administrators specifically kept their targets to companies valued at $100 million or more, according to the indictment (contradicting contemporary reporting, which found Nefilim's MO to be companies worth over the $1 billion mark).

If Tymoshchuk is successfully extradited to the United States, he'll face an uphill battle in the U.S. court system, as he is linked to the already-extradited Artem Stryzhak (Tymoshchuk's co-defendant in the trial).

Sunny Grimm is a contributing writer for Tom's Hardware. He has been building and breaking computers since 2017, serving as the resident youngster at Tom's. From APUs to RGB, Sunny has a handle on all the latest tech news.