Russian hacker Mikhail Matveev was indicted and sanctioned by the United States on Tuesday for allegedly leading the Babuk cybercrime group and serving as a “major actor in the Russian ransomware ecosystem.”
Matveev was charged by federal prosecutors in New Jersey and Washington, D.C, for conspiring to release the ransomware families LockBit, Babuk, and Hive and sending “ransom demands” in connection with each.
Matveev, alias “Wazawaka,” was added to the Treasury Department’s list of Specially Designated Nationals for “his role in launching cyberattacks against U.S. law enforcement, businesses, and critical infrastructure.” As is customary for top cybercrime suspects, the State Department has offered a gift of up to $10 million for details leading to his capture or conviction.
According to the Treasury, “Matveev has been vocal about his illegal activities.” According to the article, “He has provided insight into his cybercrimes in media interviews, disclosed exploit code to online criminals, and stated that his illicit activities will be tolerated by local authorities provided that he remains loyal to Russia.”
Cybersecurity experts and journalists this year unearthed data that tied Matveev to the Babuk organization, whose ransomware source code was posted online in 2021 and spawned other clones, drawing attention to him for his increasingly unpredictable conduct.
Matveev admitted to using many identities besides Wazawaka in an interview published by The Record in August 2022. These aliases were Babuk, BorisElcin, unc1756, and Orange. Orange, the creator of the RAMP darknet forum dedicated to ransomware, was identified as him by journalist Brian Krebs.
Early in 2021, Babuk initiated a series of ransomware assaults. Still, by April of that year, the group claimed it had switched to data theft and digital extortion after stealing more than 250GB of data from the Metropolitan Police Department in Washington, DC.
According to an interview, Matveev said that he “did not carry out this attack” and that a Babuk associate had “carried out the attack in its entirety.”
DoJ: “Matveev and his Babuk coconspirators allegedly deployed Babuk against the Metropolitan Police Department.” LockBit ransomware was used “against a nonprofit behavioral healthcare organization” in May 2022, according to the indictment, and he was also accused of using it “against a New Jersey law enforcement agency” in June 2020.
Matveev, 31, is a resident of Kaliningrad, according to OFAC’s notification. His left index finger is gone; he cut it off after losing a wager, making it one of his distinguishing traits.
Since Russia’s invasion of Ukraine began last year, the U.S. government has issued a constant stream of penalties against Russian corporations and persons. Companies that engage in cryptomining and organizations with ties to cybersecurity and misinformation activities are among the most recent designees.
Companies and individuals in the United States are barred from conducting any kind of business with the entities that have been blacklisted by the Office of Foreign Assets Control (OFAC). Since Russian companies are highly unlikely to conduct business in the United States, the penalties are often purely symbolic.
Matveev claimed he had led a “ordinary life” in Russia and has never been contacted by authorities in an interview. Contrary to the United States, “look at me, I’m watching Most Wanted Cyber,” he said, “the FSB does not put up on their website portraits to say that.” “I’m still confused as to what the Americans hope to accomplish.”
Matveev has been charged with ransomware conspiracy, damage to protected systems conspiracy, and damage to protected computers by malicious code. Even if he is found guilty, which is highly doubtful, he risks nearly 20 years in prison. A reward of up to $10 million is set up by the U.S. Department of State for information leading to the identification, capture, and conviction of Matveev.
The Office of Foreign Assets Control (OFAC) in the United States Treasury Department also issued sanctions against the defendant, saying, “his illicit activities will be tolerated by local authorities provided that he remains loyal to Russia.” According to information security expert Brian Krebs, Matveev established the defunct Russian Anonymous Marketplace (RAMP) dark web forum using an alias named “Orange.”
The ransomware-as-a-service (RaaS) model remains lucrative despite the flurry of law enforcement measures to crack down on the cybercrime ecosystem in recent years, since it provides affiliates with high-profit margins without requiring them to develop and maintain the software themselves. The financial mechanisms of RaaS have also lowered the bar to entry for would-be hackers, who make you of the services provided by ransomware producers to launch attacks and keep most of the illicit proceeds for themselves.