Key Operators of LockerGoga, MegaCortex, and Nefilim Ransomware Gangs Arrested

The U.S. District Court for the Eastern District of New York has charged Volodymyr Viktorovich Tymoshchuk, a Ukrainian national known as deadforz, Boba, msfv, and farnetwork, for his role in administering LockerGoga, MegaCortex, and Nefilim ransomware operations.

The indictment alleges that Tymoshchuk managed attacks against more than 250 companies in the U.S. and hundreds of organizations globally. These ransomware attacks caused severe disruption to business operations and led to significant financial losses.

Authorities say Tymoshchuk targeted high-profile American corporations, health care institutions, and major foreign industrial firms.

He threatened victims with data leaks if ransom payments were not made. When law enforcement developed decryption tools for earlier ransomware strains, Tymoshchuk switched to newer variants to avoid detection and remain effective.

Now, international coordination has uncovered and charged a dangerous ransomware actor who will face justice.

Ransomware Attacks, Law Enforcement Response, and Decryption Efforts

From December 2018 to October 2021, Tymoshchuk and his co-conspirators allegedly used LockerGoga, MegaCortex, and later Nefilim ransomware to breach computer networks in the United States, France, Germany, Netherlands, Norway, and Switzerland.

These attacks involved customized ransomware executables for each targeted victim, ensuring that only the attacker could unlock the encrypted data after ransom payment.

Authorities claim that between July 2019 and June 2020, the group compromised networks of hundreds of companies with LockerGoga and MegaCortex ransomware.

Notably, proactive law enforcement informed many victims before the ransomware was fully deployed, thwarting several extortion attempts.

From July 2020 onwards, Tymoshchuk is alleged to have been an administrator of Nefilim ransomware, granting affiliates—like co-defendant Artem Stryzhak—access to the malicious tool in exchange for 20 percent of the ransoms.

In September 2022, international law enforcement released decryption keys for both LockerGoga and MegaCortex through the “No More Ransomware Project,” allowing victims to recover encrypted files without paying criminals.

Tymoshchuk is facing multiple charges, including conspiracy to commit computer fraud, intentional damage to protected computers, unauthorized access, and threats to disclose confidential information.

The FBI is actively investigating, with help from law enforcement agencies in Europe and Ukraine. The Justice Department, FBI, Europol, and others have collaborated for this global cybercrime case.

To aid the investigation, the U.S. Department of State’s Transnational Organized Crime Rewards Program is offering up to $11 million for information leading to the arrest or conviction of Tymoshchuk or his associates.

Anyone with information can contact the FBI via phone or email, or reach out to the nearest U.S. embassy for more details about the reward program.

Authorities remind the public that an indictment is an allegation and defendants are presumed innocent until proven guilty in court.

The announcement serves as a warning to cybercriminals worldwide: law enforcement is committed to disrupting malicious operations and holding perpetrators accountable.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.