The U.S. Department of Justice has officially charged Ukrainian national Volodymyr Viktorovich Tymoshchuk for his significant role as the administrator of various notorious ransomware operations, including LockerGoga, MegaCortex, and Nefilim.
Criminal Profile and Ransomware Operations
Operating under aliases such as deadforz, Boba, msfv, and farnetwork, Tymoshchuk has been connected to ransomware attacks that have compromised hundreds of organizations, culminating in severe financial repercussions estimated in the millions. A superseding indictment unveiled today details these extensive criminal activities.
Between July 2019 and June 2020, Tymoshchuk and his accomplices are alleged to have infiltrated networks of over 250 companies across the United States and many additional global targets through LockerGoga and MegaCortex ransomware campaigns. In certain instances, swift alerts from law enforcement prevented the successful deployment of these ransomware attacks.
From July 2020 to October 2021, Tymoshchuk transitioned to an administrative role within the Nefilim ransomware operation, facilitating access for affiliates—including co-defendant Artem Aleksandrovych Stryzhak, who was extradited from Spain in April 2025—in exchange for a commission of 20 percent of the ransom.
Emerging Threats and Affiliations
In November 2023, cybersecurity firm Group-IB identified Tymoshchuk’s connections to several other ransomware groups, including JSWORM, Karma, Nokoyawa, and Nemty. Since April 2019, he has reportedly assisted in recruiting affiliates through multiple Russian-speaking hacker forums.
According to U.S. Attorney Joseph Nocella Jr., "Tymoshchuk is a serial ransomware criminal who has specifically targeted blue-chip American companies, healthcare institutions, and large foreign industrial firms," often threatening to leak sensitive information unless ransom demands were met. This led to significant operational disruptions as businesses struggled to recover encrypted data.
Global Response to Ransomware Threats
In September 2022, as part of a coordinated global initiative to dismantle such cybercrime syndicates, free decryptors for LockerGoga and MegaCortex ransomware were released through the "No More Ransomware Project." This initiative plays a critical role in enabling victims to recover their encrypted files without succumbing to ransom demands.
Charges and Rewards for Information
Tymoshchuk is facing multiple charges, including two conspiracy charges for computer fraud, three charges for damaging a protected computer, and charges related to unauthorized access and threats to disclose confidential information. Additionally, the U.S. Department of State’s Transnational Organized Crime (TOC) Rewards Program has announced a reward of up to $11 million for information that leads to the location, arrest, or conviction of Tymoshchuk or his associates.
Rising Cybersecurity Concerns
Recent findings reveal that 46% of environments experienced password breaches, a figure that has nearly doubled from 25% in the previous year. The implications of this surge in cybersecurity incidents underscore the pressing need for robust preventive measures.
For a comprehensive overview of current trends in prevention, detection, and data exfiltration, obtain the Picus Blue Report 2025. This essential resource provides detailed insights into the evolving landscape of cybersecurity challenges.