U.S. places $11 million bounty on Ukrainian ransomware mastermind — Tymoshchuk allegedly stole $18 billion from large companies over 3 years

The United States government has announced an $11 million reward for information leading to the arrest of Volodymyr Tymoshchuk, a Ukrainian national accused of masterminding several high-profile ransomware operations. Authorities allege that Tymoshchuk played a leading role in cyberattacks that collectively extorted more than $18 billion over three years.

Federal Charges and Ransomware Campaigns

According to U.S. prosecutors, Tymoshchuk is the central figure behind the MegaCortex, LockerGoga, and Nefilim ransomware campaigns, which were active between December 2018 and October 2021.

• MegaCortex, first detected in 2019, was designed to lock Windows accounts, encrypt files, and threaten to leak sensitive data unless ransom demands were met.
• LockerGoga gained notoriety after its devastating attack on Norsk Hydro, a Norwegian renewable energy company, which suffered an estimated $81 million in damages across 170 global sites.
• After 2020, Tymoshchuk allegedly shifted focus to Nefilim ransomware, which targeted large corporations and demanded multimillion-dollar payments. Prosecutors say Tymoshchuk earned a 20% commission from each successful Nefilim attack by selling access to affiliates.

Justice Department Statement

U.S. Attorney Joseph Nocella Jr. described Tymoshchuk as a “serial ransomware criminal” who deliberately targeted blue-chip U.S. corporations, healthcare institutions, and foreign industrial firms.

“For years, the defendant evaded authorities by continually deploying new ransomware strains whenever the old ones were neutralized,” Nocella said. “Today’s indictment demonstrates international cooperation to identify and charge a dangerous ransomware actor who can no longer hide behind anonymity.”

Charges and Potential Sentence

An unsealed indictment lists seven counts against Tymoshchuk, including:

• Intentional damage to private computer systems
• Threats to disclose confidential data

If convicted on all counts, Tymoshchuk could face a maximum sentence of life imprisonment in the U.S.

Attack Strategies

Investigators revealed that Tymoshchuk and his co-conspirators exploited legitimate security tools like Metasploit and Cobalt Strike, using them to infiltrate victim networks. Attackers often maintained undetected access for months before launching their ransomware payloads.

• MegaCortex eventually spread beyond corporate targets in late 2019, infecting vulnerable individual PCs.
• Nefilim, on the other hand, focused exclusively on corporations valued at $100 million or higher, though some reports suggested the group targeted billion-dollar firms.

Links to Co-Defendants

Tymoshchuk is connected to Artem Stryzhak, another Ukrainian national already extradited to the U.S. to face trial on related charges. If extradited, Tymoshchuk will likely face a difficult legal battle in the American judicial system.