Federal authorities have charged a Ukrainian national with administering three major ransomware operations that targeted US healthcare and global companies.
The U.S. Department of Justice has filed charges against Ukrainian national Volodymyr Viktorovich Tymoshchuk, alleging that he served as the administrator of several ransomware operations, including LockerGaga, MegaCortex, and Nefilim. These groups are linked to hundreds of cyberattacks across the U.S. and abroad between 2018 and 2021.
Operating under aliases such as “deadforz” and “farnetwork,” Tymoshchuk is accused of playing a central part in over 250 ransomware attacks in the US alone, including multiple healthcare institutions. The Department of State has announced a reward of up to $10 million for information leading to his arrest or conviction.
Between July 2019 and June 2020, the LockerGaga and MegaCortex variants were used in widespread attacks that disrupted operations, encrypted systems, and demanded ransom payments. A 2022 international law enforcement operation dismantled some of the infrastructure and released decryption keys through the No More Ransom Project, helping victims regain access to their files.
Tymoshchuk allegedly continued his activities through the Nefilim ransomware group from July 2020 to October 2021, causing millions in financial damage. As an administrator, he recruited affiliates and managed access to the tools used in attacks. Victims who refused to pay were threatened with public exposure via data leaks on the group’s Corporate Leaks website.
One Nefilim affiliate, Artem Stryzhak, was arrested in Spain in June 2024 and extradited to the US in April 2025. Prosecutors say he focused on large companies with annual revenues exceeding $100 million, with guidance from Nefilim leadership to target even larger firms. He was allowed to keep 80% of the ransom proceeds.
“Tymoshchuk is a serial ransomware criminal who targeted blue-chip American companies, health care institutions, and large foreign industrial firms,” said U.S. Attorney Joseph Nocella Jr. “He stayed ahead of law enforcement by rotating malware strains, but today’s charges demonstrate coordinated international efforts to unmask him.”
The State Department is also offering an additional $1 million for information leading to the conviction of other individuals involved in the ransomware operations, under the Transnational Organized Crime Rewards Program.
It’s a U.S. government initiative offering financial rewards for information leading to the arrest or conviction of individuals involved in major transnational crimes, including cybercrime and ransomware operations.
Administrators like Tymoshchuk don’t always carry out the attacks directly—they recruit, equip, and manage the affiliates who do. They often provide the infrastructure and take a percentage of the ransom payments.
Healthcare institutions typically have sensitive data and limited tolerance for system downtime, making them more likely to pay ransoms to restore operations quickly.
Decryption keys allow victims to unlock files that were encrypted during a ransomware attack. Law enforcement sometimes recovers these keys during operations, offering them to victims so they can recover data without paying the ransom.
Yes, although it’s more complex. The U.S. can request international cooperation, issue indictments, and offer rewards. Arrests often occur when suspects travel to countries with extradition agreements.