A dual Russian and Israeli national was extradited to the United States on charges that he was a developer of the LockBit ransomware group, according to the U.S. Department of Justice.
In August, Rostislav Panev, 51, was arrested in Israel, and late last week had an initial appearance before a U.S. magistrate judge. A trial is still pending.
WHAT'S THE IMPACT?
Court documents say Panev acted as a developer of the LockBit ransomware group from its inception in or around 2019 through at least February 2024. During that time, Panev and his LockBit co-conspirators allegedly grew LockBit into what was, at times, the most active and destructive ransomware group in the world.
The LockBit group attacked more than 2,500 victims in at least 120 countries around the world, including 1,800 in the U.S., the DOJ said. Their victims ranged from individuals and small businesses to multinational corporations, including hospitals, schools, nonprofit organizations, critical infrastructure, and government and law enforcement agencies.
LockBit's members allegedly extracted at least $500 million in ransom payments from their victims and caused billions of dollars in other losses, including lost revenue and costs from incident response and recovery, the DOJ said.
Its members were comprised of developers like Penev, who designed the LockBit malware code and maintained the infrastructure on which it operated. LockBit's other members, called "affiliates," allegedly carried out attacks and extorted ransom payments from victims. Developers and affiliates would then split the ransom payments that were extorted from victims.
At the time of Panev's arrest in Israel in August, law enforcement discovered on his computer administrator credentials for an online repository that was hosted on the Dark Web and stored source code for multiple versions of the LockBit builder, which allowed its affiliates to generate custom builds of the ransomware malware for particular victims.
On that repository, law enforcement also discovered source code for LockBit's StealBit tool, which helped LockBit affiliates exfiltrate data stolen through the attacks.
In interviews with Israeli authorities following his arrest in August, Panev admitted to having performed coding, development and consulting work for the LockBit group and to having received regular payments in cryptocurrency for that work.
Among the work that Panev admitted to having completed for the LockBit group was the development of code to disable antivirus software; to deploy malware to multiple computers connected to a victim network; and to print the LockBit ransom note to all printers connected to a victim network.
Panev also admitted to having written and maintained LockBit malware code and to having provided technical guidance to the LockBit group.
THE LARGER TREND
As of October, 389 healthcare institutions in the U.S. were attacked with ransomware in 2024, which caused network shutdowns, offline systems, rescheduled appointments and delays in critical procedures, a Microsoft report found.
The report, which aggregated information from other reports and data sets, cited a Comparitech analysis showing that the attacks are costly – healthcare organizations lose up to $900,000 per day on downtime alone, the data showed.
According to a recent U.S. government interagency report cited by Microsoft, ransomware attacks have surged by 300% since 2015, largely because ransomware-as-a-service (RaaS) has lowered the barrier for entry for hackers who lack technical expertise, with other ransomware groups finding safe harbor in Russia.
Out of the 99 healthcare organizations that admitted to paying the ransom and disclosed the ransom paid, the median payment was $1.5 million, and the average payment was $4.4 million, according to the HIPAA Journal.
Jeff Lagasse is editor of Healthcare Finance News.
Email: jlagasse@himss.org
Healthcare Finance News is a HIMSS Media publication.