A Russian national has been charged by the US Department of Justice (DoJ) with using ransomware from prolific cybercrime gangs LockBit, Hive and Babuk. The FBI is offering a $10m reward for information on Mikhail Pavlovich Matveev’s whereabouts, describing him as a “key actor in the Russian ransomware ecosystem”.
According to a statement released by the DoJ, the three gangs combined have amassed a total of $200m from their victims, which include private companies, public sector organisations and critical national infrastructure providers in the US, UK and Europe.
Charges filed over LockBit, Hive and Babuk ransomware deployment
The DoJ has unsealed two indictments charging Matveev with using the three ransomware variants to attack victims throughout the US. The defendant is deemed to be a “key actor in the Russian ransomware ecosystem”.
The three variants belong to notorious Ransomware-as-a-Service (RaaS) gangs LockBit, Hive and Babuk, and Matveev is a cybercriminal who appears to be working between all three of them.
From as early as 2020 Matveev, known online under the aliases Wazawaka, Boriselcin, Uhodiransomwar and m1x, has “allegedly participated in conspiracies to deploy” ransomware variants belonging to the above gangs.
Throughout this time the gangs demanded around $400m from their victims, obtaining a total of $200m throughout the attacks.
“From his home base in Russia, Matveev allegedly used multiple ransomware variants to attack critical infrastructure around the world, including hospitals, government agencies, and victims in other sectors,” said assistant attorney general Kenneth A. Polite, Jr. of the Justice Department’s criminal division. “These international crimes demand a coordinated response. We will not relent in imposing consequences on the most egregious actors in the cybercrime ecosystem.”
The whereabouts of Matveev are currently unknown, however. The FBI and the State Department have posted the reward for any information leading to his arrest or conviction.
“The FBI is steadfast in our commitment to disrupting cybercriminals like Matveev,” said assistant director Bryan Vorndran of the FBI’s Cyber Division. “The bureau will continue to impose costs on cyber adversaries through our joint collaboration with our private sector and international partners, and we will not tolerate these criminal acts against American citizens.”
LockBit, Hive and Babuk
Matveev has been vocal online for a while about his illicit ransomware activities. In February 2022 he began posting videos of himself taunting security researchers and journalists, posting code for a widely used virtual private networking appliance on Twitter.
Under his Wazawaka alias, Matveev has been a highly active member of multiple cybercrime forums over the past decade. Wazawaka has worked with at least two different ransomware affiliate programs, including LockBit. In online posts, Wazawaka said LockBit had paid him roughly $500,000 in commissions for the six months leading up to September 2020.
The trio of gangs have regularly held Western organisations to ransom over the past three years. LockBit has been particularly aggressive towards critical national infrastructure in the UK, having hit both the Royal Mail and the National Health Service (NHS) within the past year.
Hive has hit numerous schools in the UK, asking for sums as high as £500,000, as well as critical national infrastructure further afield, including the Indonesian gas giant Perusahaan Gas Negara (PNG). The group’s online infrastructure was seized by the FBI in January of this year.
Matveev and his Babuk co-conspirators allegedly deployed Babuk ransomware against the Metropolitan Police Department in Washington DC in April 2021. The gang’s source code was released by a malicious insider of the gang in September of the same year, however, at which point the cybercrime group became less active.
It has made the headline again recently when it was revealed up to ten ransomware gangs are using the leaked source code to create their own cyber weaponry.