U.S. Offers $10 Million Reward for Ransomware Operator Linked to LockerGoga, MegaCortex, and Nefilim

The U.S. government has announced a reward of up to $10 million for information leading to the arrest or conviction of Volodymyr Viktorovich Tymoshchuk, a 28-year-old Ukrainian national accused of playing a central role in multiple high-profile ransomware operations.

Tymoshchuk, also known by aliases such as Boba, Deadforz, Farnetwork, and Msfv, has been indicted for administering ransomware families that caused hundreds of millions of dollars in losses globally.

Background on the Indictment

According to a superseding indictment unsealed in May 2024, Tymoshchuk and his co-conspirators compromised the networks of over 250 U.S. organizations and hundreds more internationally. The victims included businesses and institutions in France, Germany, the Netherlands, Norway, and Switzerland.

The attackers customized ransomware executables for each victim, ensuring that only targeted decryption keys could unlock encrypted files. This approach maximized pressure on victims to pay ransoms.

The indictment further alleges that Tymoshchuk personally benefited from ransom proceeds, often reinvesting them in criminal partnerships.

Ransomware Families Involved

• LockerGoga (2019–2020): Known for paralyzing major European companies such as Norsk Hydro, this ransomware encrypted business-critical files, leading to large operational shutdowns.

• MegaCortex (2019–2020): Another enterprise-focused ransomware variant, often deployed alongside LockerGoga, designed for high-value targets.

• Nefilim (2020–2021): Tymoshchuk allegedly acted as an administrator, renting access to affiliates in exchange for 20% of ransom payments.

Victims were instructed to pay in cryptocurrency in exchange for a decryption tool. However, due to early intervention from law enforcement, many extortion attempts were neutralized before damage could be fully realized.

Global Impact and Response

The U.S. Department of Justice (DoJ) emphasized that the ransomware campaigns caused hundreds of millions of dollars in remediation costs, ransom payments, and damages to computer systems.

Although Tymoshchuk remains at large, law enforcement has achieved some successes. In 2024, Ukrainian national Artem Stryzhak, a Nefilim affiliate, was arrested in Spain and extradited to the United States.

Additionally, decryption keys for LockerGoga and MegaCortex were released publicly through the No More Ransom initiative, enabling many victims to recover their files without paying ransoms.

Rewards and Ongoing Investigations

Under the Transnational Organized Crime Rewards Program (TOCRP), the State Department is offering:

• Up to $10 million for information leading to Tymoshchuk’s arrest or conviction.

• Up to $1 million for details on other leaders of the LockerGoga, MegaCortex, and Nefilim operations.

This bounty highlights the U.S. government’s prioritization of dismantling ransomware networks that threaten global businesses and critical infrastructure.

Why This Matters

Ransomware remains one of the most disruptive forms of cybercrime. By targeting enterprise networks and encrypting critical data, attackers can paralyze industries, jeopardize livelihoods, and extract massive sums.

The Tymoshchuk case underscores the global reach of ransomware groups and the importance of international cooperation. It also illustrates the adaptability of cybercriminals, who evolve tactics across different ransomware families while maintaining financial and operational ties.

Organizations are reminded to:

• Implement robust backup and recovery strategies.

• Apply network segmentation and strong authentication.

• Stay informed of publicly available decryption tools.