Mikhail Pavlovich Matveev, a key actor in the Russian ransomware ecosystem, has been charged by the US Department of Justice (DOJ) with using three different ransomware variants to attack numerous victims throughout the US. Law enforcement agencies in Washington, D.C. and New Jersey were attacked, including other nationwide targets in healthcare and other sectors.
Matveev, who is also known online as Wazawaka, m1x, Boriselcin, and Uhodiransomwar, has been a central figure in the development and deployment of the ransomware variants Hive, LockBit, and Babuk, and more.
“The FBI will continue to impose costs on cyber adversaries through our joint collaboration with our private sector and international partners, and we will not tolerate these criminal acts against American citizens.”
Bryan Vorndran, Assistant Director, FBI Cyber Division
Matveev is alleged to have participated in conspiracies to deploy the three ransomware variants from 2020. He transmitted ransom demands with each of them. Along with accomplices, he managed to attack thousands of victims globally. Law enforcement and other government agencies, hospitals, and schools were all targeted in the attacks. The alleged total amount of ransom payments made by the groups adds up to as much as $400m.
“From his home base in Russia, Matveev allegedly used multiple ransomware variants to attack critical infrastructure around the world, including hospitals, government agencies, and victims in other sectors,” said Assistant Attorney General Kenneth A Polite, Jr of the Justice Department’s Criminal Division. “These international crimes demand a coordinated response.”
Police department attacked
In one of the attacks, the Metropolitan Police Department in Washington was targeted in April 2021. Allegedly, Matveev and his Babuk co-conspirators deployed the Babuk ransomware against the force, and then threatened to make sensitive information public unless a payment was made.
The police force refused to meet the blackmail demands, and therefore suffered a massive leak of internal data. Information that included home addresses, cellphone numbers, financial data, medical histories, personal details of police officers, and sensitive information about gangs, suspects of crimes, and witnesses. Experts said the attack was the “worst known ransomware attack ever to hit a US police department,” according to AP News.
“Ransomware actors like Matveev will be held accountable for their crimes, and we will continue to use all available authorities and tools to defend against cyber threats.”
Brian E Nelson, Under Secretary of the Treasury for Terrorism and Financial Intelligence
Matveev, who has been vocal on his actions, said that the attack was performed by an affiliate, but claimed responsibility for posting the police department’s stolen data online. “I just blocked this affiliate and started uploading the data to the blog,” Matveev said.
LockBit, Babuk, and Hive ransomware groups
- LockBit first appeared around January 2020. Over 1,400 attacks have been made against victims in the US and around the world, issuing over $100m in ransom demands and receiving over $75m in ransom payments.
- Babuk first appeared around December 2020. Babuk actors have executed over 65 attacks against victims globally, issuing over $49m in ransom demands and receiving $13m.
- Hive has targeted more than 1,400 victims around the world since June 2021, and has received $120m in ransom payments.
Sanctions implications
The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has also announced its own actions against Metveev, and is designating the defendant for his role in the attacks.
“The United States will not tolerate ransomware attacks against our people and our institutions,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E Nelson. “Ransomware actors like Matveev will be held accountable for their crimes, and we will continue to use all available authorities and tools to defend against cyber threats.”
Under OFAC’s sanctions, all US-based property and interests in property held by Matveev must be frozen, and US persons and entities are prevented from doing business with him in the future. The designation also includes ransom payments, which means that victims who do pay Matveev could be subject to fines or other regulatory action from the US government.
$10m award
For his actions, Matveev has been charged with conspiring to transmit ransom demands, conspiring to damage protected computers, and intentionally damaging protected computers. He faces over 20 years in prison if he’s convicted.
In addition to the DOJ’s charges, an award of up to $10m for information that leads to the arrest and/or conviction of Matveev has been announced by the Department of State.
Bryan Vorndran, Assistant Director of the FBI’s Cyber Division said: “The FBI will continue to impose costs on cyber adversaries through our joint collaboration with our private sector and international partners, and we will not tolerate these criminal acts against American citizens.”
According to the Financial Trend Analysis from The Financial Crimes Enforcement Network (FinCEN), Russia and its proxies were linked to almost 75% percent of ransomware-related incidents between July and December 2021.