Ransomware Administrator Charged with Cybercrimes for Deploying “Lockergoga,” “Nefilim,” and “Megacortex” Ransomware Strains Against Hundreds of Victims

BROOKLYN, NY - Earlier today, a superseding indictment was unsealed charging Volodymyr Tymoshchuk, also known as "deadforz," "Boba," "msfv," and "farnetwork," a Ukrainian national, for his role in international ransomware schemes. Tymoshchuk is not in U.S. custody.

Joseph Nocella, Jr., United States Attorney for the Eastern District of New York; Matthew R. Galeotti, Acting Assistant Attorney General of the Justice Department's Criminal Division; Christopher Raia, Assistant Director in Charge, Federal Bureau of Investigation, New York Field Office (FBI); and FBI Special Agent in Charge Christopher J.S. Johnson, Springfield, Illinois Field Office, announced the superseding indictment.

"Tymoshchuk is a serial ransomware criminal who targeted blue-chip American companies, health care institutions, and large foreign industrial firms, and threatened to leak their sensitive data online if they refused to pay," stated United States Attorney Nocella. "For a time, the defendant stayed ahead of law enforcement by deploying new strains of malicious software when his old ones were decrypted. Today's charges reflect international coordination to unmask and charge a dangerous and pervasive ransomware actor who can no longer remain anonymous."

"Volodymyr Tymoshchuk is charged for his role in ransomware schemes that extorted more than 250 companies across the United States and hundreds more around the world," stated Acting Assistant Attorney General Galeotti. "In some instances, these attacks resulted in the complete disruption of business operations until encrypted data could be recovered or restored. This prosecution and today's rewards announcement reflects our determination to protect businesses from digital sabotage and extortion and to relentlessly pursue the criminals responsible, no matter where they are located."

"Volodymyr Tymoshchuk repeatedly used ransomware attacks to target hundreds of companies in the United States and around the globe in attempts to extort victims. Today's announcement should serve as warning, cyber criminals may believe they act with impunity while conducting harmful cyber intrusions, but law enforcement is onto you and will hold you accountable," stated FBI Assistant Director in Charge Raia. "The FBI along with our law enforcement partners will continue to scour the globe to bring to justice any individual attempting to use the anonymity of the internet to commit crime."

"The criminals behind Nefilim ransomware may believe they can profit from extortion and data leaks, but they are wrong. The FBI is actively pursuing them to disrupt their operations and bring them to justice. We urge all organizations to report these attacks immediately-because every report helps us dismantle these networks and ensure cybercriminals are held accountable," stated Springfield, Illinois Special Agent in Charge Johnson.

As alleged in the superseding indictment, between December 2018 and October 2021, LockerGoga, MegaCortex, and Nefilim ransomware were used to encrypt computer networks in countries around the world, including against victims in the Eastern District of New York and across the United States, France, Germany, the Netherlands, Norway, and Switzerland. These ransomware attacks caused tens of millions of dollars of losses, resulting both from damage to victim computer systems and from ransomware payments to the perpetrators. The ransomware attacks would lock up a victim's computer files, and only if the victim paid the ransom demand the perpetrators would send a decryption tool that enabled the victim to decrypt and regain access to those files.

The LockerGoga and Mega Cortex Ransomware Variants

Tymoshchuk and his co-conspirators initially gained unauthorized access to victim networks in various ways, including through use of hacking tools to identify security vulnerabilities, perform brute-force password cracking attacks, and retrieve stored password credentials. At times, the co-conspirators also purchased compromised access credentials to victim networks. Tymoshchuk and his co-conspirators then used additional hacking tools to explore the victim networks, obtain persistent remote access, move laterally (i.e., access other systems within each computer or network) and escalate privileges (i.e., gain greater authority over the computer or network).

After gaining sufficient access to the victims' networks, the co-conspirators deployed either LockerGoga or MegaCortex ransomware. Between approximately July 2019 and June 2020, Tymoshchuk and his co-conspirators compromised the networks of more than 250 victim companies in the United States and hundreds of other companies around the world. Many of these extortion attempts failed due to the vigilance of law enforcement officials, who notified victims that their networks had been compromised before Tymoshchuk could deploy ransomware.

In September 2022, as part of an international coordinated effort, decryption keys associated with LockerGoga and MegaCortex ransomware were made available to the public via the "No More Ransomware Project." These decryption keys enabled compromised victim companies and institutions to recover data previously encrypted with LockerGoga and MegaCortex ransomware.

The Nefilim Ransomware Variant

From approximately July 2020 through October 2021, Tymoshchuk was one of the administrators of Nefilim ransomware, a "ransomware as a service" enterprise that provided ransomware tools to affiliates in turn for a percentage of the extortionate payments they collected. Among Tymoshchuk's affiliates was his co-defendant Artem Stryzhak, who paid Tymoshchuk 20 percent of the ransom proceeds he collected. In exchange, Tymoshchuk gave Stryzhak access to the Nefilim ransomware "panel," an online platform for Nefilim affiliates to access the ransomware.

Tymoshchuk at times described his preferred ransomware targets as companies located in the United States, Canada, or Australia with more than $100 million in annual revenue. In one exchange with Stryzhak in or about July 2021, Tymoshchuk encouraged him to target companies in these countries with more than $200 million in annual revenue. Tymoshchuk researched companies to target, using online databases to gather information about the victim companies' net worth, size, and contact information.

After gaining sufficient access to the victims' networks, Tymoshchuk and his co-conspirators stole data in furtherance of their scheme to extort ransom payments from them. Nefilim ransom notes typically threatened the victims that unless they came to an agreement with the ransomware actors, the stolen data would be published on publicly accessible "Corporate Leaks" websites, which were maintained by Nefilim administrators.

The charges in the superseding indictment are allegations and the defendants are presumed innocent unless and until proven guilty. Stryzhak, who was extradited from Spain in April 2025 to the Eastern District of New York, is awaiting trial.

Concurrent with the unsealing of the superseding indictment, the U.S. Department of State's Transnational Organized Crime (TOC) Rewards Program is offering a reward of up to $11 million for information leading to the leading to the arrest and/or conviction or location of Tymoshchuk or his conspirators.

Anyone with information on these malicious cyber actors, or associated individuals or entities, please contact the FBI via phone at +1-917-242-1407 or by email at [email protected]. If you are in the United States, you can also contact the local FBI field office. If outside the United States, you can visit the nearest U.S. embassy. More information about this TOC reward offer is located on the State Department website.

The government's case is being handled by the Office's National Security and Cybercrime Section. Assistant United States Attorneys Alexander F. Mindlin and Ellen H. Sise, along with Trial Attorney Brian Mund of the Justice Department's Computer Crime and Intellectual Property Section, are in charge of the prosecution, with assistance from Paralegal Specialist Rebecca Roth.

The Justice Department's Office of International Affairs provided critical assistance in this case, as did the FBI's Legal Attachés abroad and authorities in France, Czech Republic, Germany, Lithuania, Luxembourg, Netherlands, Norway, Romania, Switzerland, and Ukraine, as well as Europol and Eurojust via the Criminal Division's International Computer Hacking and Intellectual Property (ICHIP) The Hague.

The Defendants:

VOLODYMYR VIKTOROVYCH TYMOSHCHUK (also known as "deadforz," "Boba," "msfv," and "farnetwork")
Age: 28
Kiev, Ukraine

ARTEM ALEKSANDROVYCH STRYZHAK
Age: 35
Barcelona, Spain

E.D.N.Y. Docket No. 23-CR-324 (PKC)