A man has been charged in the United States for allegedly being the developer of the now-defunct LockBit ransomware-as-a-service (RaaS) operation.

Rostislav Panev, 51, was arrested in Israel earlier this August and is currently awaiting extradition, the U.S. Department of Justice (DoJ) said in a statement. 

Nicole M. Argentieri, principal deputy assistant attorney general head of the Justice Department’s Criminal Division, said the criminal complaint alleges that Panev developed malware and maintained the infrastructure for LockBit.

Superseding Complaint

According to the superseding complaint, documents filed in this and related cases, and statements made in court, Panev acted as a developer for the LockBit ransomware group from its inception in or around 2019 through at least February 2024. 

“Along with our domestic and international law enforcement partner actions to dismantle LockBit’s infrastructure, the Criminal Division has disrupted LockBit’s operations by charging seven of its key members (including affiliates, developers, and its administrator) and arresting three of these defendants — including Panev,” Argentieri said.

In interviews with Israeli authorities following his arrest in August, Panev admitted to having performed coding, development, and consulting work for the LockBit group and to having received regular payments in cryptocurrency for that work, consistent with the transfers identified by U.S. authorities.

In September, the UK’s National Crime Agency detailed how it was able to take control of LockBit, with head of cyber intelligence Will Lyne admitting that “there is more ransomware groups than ever now, as well as a range of sophistication.”

Code Development

Among the work that Panev admitted to having completed for the LockBit group was the development of code to disable antivirus software; to deploy malware to multiple computers connected to a victim network; and to print the LockBit ransom note to all printers connected to a victim network.

Panev also admitted to having written and maintained LockBit malware code and to having provided technical guidance to the LockBit group. He is the first major arrest linked to LockBit since the arrest of Mikhail Pavlovich Matveev earlier this month.

The news comes as a new locker malware, LockBit 4.0, was apparently announced for a February release.

Dark web screenshots apparently invited interested parties to “sign up and start your pentester billionaire journey in 5 minutes with us”. Although none of the links in the post were live, a countdown timer pointed to a ‘launch’ date of 3rd February 2025.

Ransomware Strain

Robert Fitzsimons, lead threat intelligence engineer at Searchlight Cyber, said: "We have observed LockBit teasing a LockBit 4.0 on its dark web site. It is hard to say at this point exactly what ‘LockBit 4.0’ entails, whether it is just a new dark web leak site for the group or whether there will be changes to the actual ransomware strain.

"It is worth noting that LockBit has already been through many iterations, its current branding is LockBit 3.0. It's therefore not surprising that LockBit is updating once again and - given the brand damage inflicted by the law enforcement action Operation Cronos earlier this year - there is clearly a motivation for LockBit to shake things up and re-establish its credentials, keeping in mind that the LockBit 3.0 site was hijacked and defaced by law enforcement.”

Fitzsimons said there has been a decrease in LockBit's victim output since Operation Cronos in February, but this post shows that it is still trying to attract affiliates and continue its operations.

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.