View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

US puts $10m bounty on Russian linked to LockBit, Hive and Babuk ransomware gangs

The man is said to be a key player in the Russian ransomware ecosystem, and faces charges in the US.

By Claudia Glover

A Russian national has been charged by the US Department of Justice (DoJ) with using ransomware from prolific cybercrime gangs LockBit, Hive and Babuk. The FBI is offering a $10m reward for information on Mikhail Pavlovich Matveev’s whereabouts, describing him as a “key actor in the Russian ransomware ecosystem”.

The US Justice Department has charged a Russian national in relation to three prolific ransomware gangs. (Photo by JHVEPhoto/Shutterstock)

According to a statement released by the DoJ, the three gangs combined have amassed a total of $200m from their victims, which include private companies, public sector organisations and critical national infrastructure providers in the US, UK and Europe.

Charges filed over LockBit, Hive and Babuk ransomware deployment

The DoJ has unsealed two indictments charging Matveev with using the three ransomware variants to attack victims throughout the US. The defendant is deemed to be a “key actor in the Russian ransomware ecosystem”. 

The three variants belong to notorious Ransomware-as-a-Service (RaaS) gangs LockBit, Hive and Babuk, and Matveev is a cybercriminal who appears to be working between all three of them. 

From as early as 2020 Matveev, known online under the aliases Wazawaka, Boriselcin, Uhodiransomwar and m1x, has “allegedly participated in conspiracies to deploy” ransomware variants belonging to the above gangs. 

Throughout this time the gangs demanded around $400m from their victims, obtaining a total of $200m throughout the attacks.

“From his home base in Russia, Matveev allegedly used multiple ransomware variants to attack critical infrastructure around the world, including hospitals, government agencies, and victims in other sectors,” said assistant attorney general Kenneth A. Polite, Jr. of the Justice Department’s criminal division. “These international crimes demand a coordinated response. We will not relent in imposing consequences on the most egregious actors in the cybercrime ecosystem.”

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

The whereabouts of Matveev are currently unknown, however. The FBI and the State Department have posted the reward for any information leading to his arrest or conviction.

“The FBI is steadfast in our commitment to disrupting cybercriminals like Matveev,” said assistant director Bryan Vorndran of the FBI’s Cyber Division. “The bureau will continue to impose costs on cyber adversaries through our joint collaboration with our private sector and international partners, and we will not tolerate these criminal acts against American citizens.”

LockBit, Hive and Babuk

Matveev has been vocal online for a while about his illicit ransomware activities. In February 2022 he began posting videos of himself taunting security researchers and journalists, posting code for a widely used virtual private networking appliance on Twitter. 

Under his Wazawaka alias, Matveev has been a highly active member of multiple cybercrime forums over the past decade. Wazawaka has worked with at least two different ransomware affiliate programs, including LockBit. In online posts, Wazawaka said LockBit had paid him roughly $500,000 in commissions for the six months leading up to September 2020.

The trio of gangs have regularly held Western organisations to ransom over the past three years. LockBit has been particularly aggressive towards critical national infrastructure in the UK, having hit both the Royal Mail and the National Health Service (NHS) within the past year. 

Hive has hit numerous schools in the UK, asking for sums as high as £500,000, as well as critical national infrastructure further afield, including the Indonesian gas giant Perusahaan Gas Negara (PNG). The group’s online infrastructure was seized by the FBI in January of this year. 

Matveev and his Babuk co-conspirators allegedly deployed Babuk ransomware against the Metropolitan Police Department in Washington DC in April 2021. The gang’s source code was released by a malicious insider of the gang in September of the same year, however, at which point the cybercrime group became less active.

It has made the headline again recently when it was revealed up to ten ransomware gangs are using the leaked source code to create their own cyber weaponry. 

Read more: North Korea has stolen cryptocurrency worth $721m from Japan in the last five years

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.