CyberSecurity news

FlagThis - #lockbit

@www.justice.gov - 71d

LockBit Developer Arrested, Extradition Requested by US - A software developer for the LockBit ransomware group has been charged by the U.S. Justice Department for developing code to disable antivirus software and spread malware.
The US Department of Justice has unsealed charges against Rostislav Panev, a dual Russian-Israeli national, for his alleged role as a developer within the LockBit ransomware group. Panev is accused of creating software used by the group to disable antivirus programs, spread malware, and generate ransom notes. The charges follow a multi-year investigation into the ransomware group which emerged in 2019, which has targeted over 2,500 victims across 120 countries causing over $500 million in ransom payments. Panev was arrested in Israel in August and is awaiting extradition to the US.

The complaint against Panev claims that he developed and maintained the digital tools used by LockBit to carry out its attacks. Authorities found administrator credentials for LockBit’s infrastructure on his computer and source code for their ransomware. The ransomware group operates on a Ransomware-as-a-Service model, with affiliates executing the attacks after developers like Panev create the necessary tools. While law enforcement disrupted some of LockBit's infrastructure in February, the group managed to relaunch soon after, and many affiliates are still at large.

Recommended read:
References :
  • CyberInsider: LockBit Ransomware Developer Indicted in the U.S.
  • malware.news: US charges Israeli-Russian national with making software for LockBit ransomware gang
  • therecord.media: US unseals complaint against Russian-Israeli accused of working for LockBit
  • www.justice.gov: US charges dual Russian and Israeli national developer for LockBit ransomware group
  • Threats | CyberScoop: Justice Department unveils charges against alleged LockBit developer
  • Bloomberg Technology: The US charges dual Russian and Israeli national Rostislav Panev for allegedly working with the LockBit ransomware group and seeks his extradition from Israel
  • Osint10x: LockBit Developer Rostislav Panev Charged for Billions in Global Ransomware Damages
  • Techmeme: Techmeme report on Lockbit developer arrest.
  • techcrunch.com: Third member of LockBit ransomware gang has been arrested
  • The Verge: US reveals charges against alleged LockBit ransomware developer
  • BleepingComputer: The US Department of Justice has charged a Russian-Israeli dual-national for his suspected role in developing malware and managing the infrastructure for the notorious LockBit ransomware group.
  • www.bleepingcomputer.com: BleepingComputer article on US charges against LockBit ransomware coder
  • The Hacker News: The Hacker News reports on the charges against LockBit developer Rostislav Panev.
  • Techmeme: The US charges dual Russian and Israeli national Rostislav Panev for allegedly working with the LockBit ransomware group and seeks his extradition from Israel
  • bsky.app: LockBit ransomware developer Rostislav Panev has been charged in the U.S. for creating tools behind BILLIONS in global damages
  • Security Affairs: US charged Dual Russian and Israeli National as LockBit Ransomware developer
  • aboutdfir.com: Suspected LockBit dev, facing US extradition, ‘did it for the money’ An alleged LockBit ransomware developer is in custody in Israel and awaiting extradition to the United States. Israeli law enforcement arrested Rostislav Panev, 51, a dual Russian and Israeli national, in August at the request of the US.
  • Help Net Security: The US Department of Justice has unsealed charges against Rostislav Panev, 51, a dual Russian and Israeli national, suspected of being a developer for the LockBit ransomware group. Panev was arrested in August 2024 and is currently in custody in Israel pending extradition.
  • ciso2ciso.com: US charged Dual Russian and Israeli National as LockBit Ransomware developer
  • www.helpnetsecurity.com: US charges suspected LockBit ransomware developer.
  • ciso2ciso.com: US charged Dual Russian and Israeli National as LockBit Ransomware developer – Source: securityaffairs.com
@cyberinsider.com - 13d

Dutch Authorities Dismantle Bulletproof Hoster - Dutch Police dismantled the ZServers/XHost bulletproof hosting operation, seizing 127 servers used by cybercriminals for illegal activities.
Dutch Police have dismantled the ZServers/XHost bulletproof hosting operation, seizing 127 servers. The takedown follows a year-long investigation into the network, which has been used by cybercriminals to facilitate illegal activities. This includes the spread of malware, botnets, and various cyberattacks.

Earlier this week, authorities in the United States, Australia, and the United Kingdom announced sanctions against the same bulletproof hosting provider for its involvement in cybercrime operations. ZServers was accused of facilitating LockBit ransomware attacks and supporting the cybercriminals' efforts to launder illegally obtained money, according to The Record. The Cybercrime Team Amsterdam will conduct an additional probe of the servers, as the company advertised the possibility for customers to allow criminal acts from its servers while remaining anonymous to law enforcement.

Recommended read:
References :
  • cyberinsider.com: Police Dismantle Bulletproof Hosting Provider ZServers/XHost
  • gbhackers.com: Dutch Authorities Dismantle Network of 127 Command-and-Control Servers
  • www.bleepingcomputer.com: The Dutch Police (Politie) dismantled the ZServers/XHost bulletproof hosting operation after taking offline 127 servers used by the illegal platform.
  • www.scworld.com: Zservers/XHost servers dismantled by Dutch police
  • Metacurity: Dutch cops dismantle ZServers bulletproof hosting operation
  • BleepingComputer: The Dutch Police (Politie) dismantled the ZServers/XHost bulletproof hosting operation after taking offline 127 servers used by the illegal platform.
  • CyberInsider: Police Dismantle Bulletproof Hosting Provider ZServers/XHost
  • DataBreaches.Net: Dutch Police seizes 127 XHost servers, dismantles bulletproof hoster
  • www.politie.nl: Politie Amsterdam ontmantelt digitaal crimineel netwerk; 127 servers offline gehaald - "an investigation of over a year, dismantled a bulletproof hoster on the Paul van Vlissingenstraat in Amsterdam. During the raid on February 12, 127 servers were taken offline and seized."
  • Cybernews: After a year-long investigation, Amsterdam's Cybercrime Team shut down a bulletproof hosting provider, seizing 127 servers.
  • securityaffairs.com: Dutch Police shut down bulletproof hosting provider Zservers and seized 127 servers
Pierluigi Paganini@Security Affairs - 21h

LockBit Targets FBI Director with Alleged Leak - The LockBit ransomware group claimed to leak classified documents as a "birthday gift" to FBI Director Kash Patel, raising concerns about data breaches and targeting high-profile figures.
References: securityaffairs.com , The420.in ,
The LockBit ransomware group has targeted newly appointed FBI Director Kash Patel with an alleged "birthday gift" consisting of leaked classified documents. LockBitSupp, the group's alleged leader, posted a message on February 25, 2025, mocking Patel and claiming the group possesses sensitive data that could "destroy" the FBI. This incident raises serious cybersecurity concerns about potential data breaches targeting high-profile individuals and agencies.

The post, found on LockBit's dark leak blog, describes an "archive of classified information" containing over 250 folders of materials dating back to May 29, 2024. This stolen data is presented as a "guide, roadmap, and some friendly advice" to the new FBI Director. The ransomware cartel's actions represent a bold threat, highlighting the increasing sophistication and audacity of cybercriminals targeting government entities and their leadership.

Recommended read:
References :
  • securityaffairs.com: LockBit taunts FBI Director Kash Patel with alleged “Classifiedâ€� leak threat
  • The420.in: LockBit Targets FBI Director with Alleged Classified Leak
  • iHLS: In a chilling message posted on February 25, 2025, the alleged leader of the notorious LockBit ransomware group, LockBitSupp, issued a disturbing “birthday giftâ€� to Kash Patel, the newly appointed Director of the FBI.
Cybereason Security Services Team@Blog - 28d

Phorpiex Botnet Deploys LockBit Ransomware - The Phorpiex botnet is now distributing LockBit ransomware through compromised websites and phishing emails, demonstrating the botnet’s evolving capabilities.
The Phorpiex botnet, previously known for spam and cryptocurrency mining, has been observed distributing LockBit Black ransomware, also known as LockBit 3.0. This new attack vector signifies a significant shift in the botnet's operations, now focusing on automated ransomware deployment through compromised websites and phishing emails. The malicious activity begins with phishing emails that contain malicious SCR files. When these files are executed, they establish a connection with a command-and-control server, download the LockBit binary, and execute the ransomware payload to begin file encryption.

Unlike traditional ransomware tactics that involve human operators and attempts at lateral movement within a network, this variant focuses on immediate execution of LockBit, reducing the attack's footprint and making it harder to detect. Phorpiex and LockBit employ various anti-detection strategies, such as deleting URL caches, obfuscating function calls, removing Zone.Identifier metadata, and modifying the Windows registry, all to ensure the ransomware runs automatically. This shift highlights the increasing trend of botnets being used as a tool for ransomware attacks.

Recommended read:
References :
  • cyberpress.org: Phorpiex botnet Host on Hacked Website to Launch LockBit Ransomware on Windows
  • securityonline.info: Phorpiex Botnet Now Deploying LockBit Ransomware in Automated Attacks
  • Virus Bulletin: Cybereason's Mahadev Joshi & Masakazu Oku investigate the Phorpiex botnet, which has been used to deliver and execute LockBit Black Ransomware (a.k.a. LockBit 3.0).
  • Blog: Cybereason's Mahadev Joshi & Masakazu Oku investigate the Phorpiex botnet, which has been used to deliver and execute LockBit Black Ransomware (a.k.a. LockBit 3.0).

Blogs

Research Tools