A Ukrainian national is accused of running several ransomware strains responsible for hundreds of attacks in Europe and the United States. Washington is offering $11M (≈ €10.2M) for his capture.
Washington accuses a Ukrainian citizen of managing the LockerGoga, MegaCortex, and Nefilim ransomware, used between 2018 and 2021 to hit hundreds of companies and infrastructures. The man, still on the run, is the subject of an international warrant and a multimillion-dollar reward. These malware strains crippled major industries, including Norsk Hydro. The U.S. Department of Justice highlights the scale of the damage—over $104M (≈ €96.7M) for LockerGoga alone—and the sophistication of the teams involved. Behind the numbers lies a criminal strategy of industrialized digital extortion, raising concerns for cybersecurity agencies and fueling renewed transatlantic law enforcement cooperation.
An administrator accused of industrializing digital extortion
The New York federal court has unsealed an indictment dated May 2024 targeting Volodymyr Viktorovich Tymoshchuk, also known as “deadforz,” “Boba,” “msfv,” or “farnetwork.” Between 2018 and 2021, he allegedly managed several ransomware families used to extort more than 250 victims in the U.S. and hundreds more across Europe.
According to the indictment, these operations caused millions in damages and completely shut down certain industrial and hospital activities until data was restored or ransoms were paid. U.S. Attorney Joseph Nocella Jr. described him as a “repeat ransomware criminal,” primarily targeting American companies, healthcare facilities, and industries.
LockerGoga remains linked to the high-profile attack on Norsk Hydro in 2019, which crippled part of Norway’s aluminum production. The strain also hit Altran in France and chemical giants Hexion and Momentive. Prosecutors emphasize that Tymoshchuk systematically created new variants whenever a decryption tool became available, prolonging the malware’s destructive power.
An international manhunt and public decryptors
U.S. authorities have filed multiple charges: two counts of conspiracy to commit fraud, three counts of intentional damage to a protected computer, one count of unauthorized access, and one count of threatening to disclose confidential data.
The FBI notes that some attacks were foiled thanks to timely alerts sent to compromised companies. Europol and several European countries had already arrested twelve suspects in October 2021 during a large joint operation targeting LockerGoga and MegaCortex. In 2023, additional arrests dismantled part of the criminal network.
Meanwhile, free decryptors have been released: one for LockerGoga in 2022 via the “No More Ransomware” project, and another for MegaCortex in early 2023. According to Bitdefender, MegaCortex was operated by a structured group exploiting known vulnerabilities or pre-existing infections (Emotet, Qakbot).
Rewards, cooperation, and the evolution of organized cybercrime
Tymoshchuk remains at large. The U.S. State Department is offering $11M (≈ €10.2M) for any information leading to his arrest. Authorities specify they are also seeking possible accomplices tied to the Nefilim, LockerGoga, and MegaCortex strains.
The FBI underlines that the attacks explicitly aimed to disrupt operations until ransom was paid. This extortion logic, industrialized and deployed in successive waves of malware, illustrates the professionalization of cybercrime.
In parallel, U.S. justice announced the conviction of Liridon Masurica, a 33-year-old Kosovar who ran the forum BlackDB.cc between 2018 and 2025. The platform sold compromised accounts, server credentials, and bank card data, enabling tax fraud and identity theft. Arrested in December 2024 and extradited to the U.S., he faces up to ten years in prison.
Western authorities are multiplying arrests and technical cooperation, but Tymoshchuk’s escape highlights the resilience of ransomware networks. The question remains: will rewards and coordinated operations be enough to curb a criminal model that has gone transnational? [ZATAZ News English version]
