Russian national indicted for ransomware attacks against the US

Russian national, Mikhail Pavlovich Matveev, has been charged and indicted for launching ransomware attacks against thousands of victims in the US and across the world, the US Department of Justice (DoJ) said in a press release.

The US Department of State has also announced an award of up to $10 million for information that leads to the arrest and/or conviction of the Russian national.

“According to the indictment obtained in the District of New Jersey, from at least as early as 2020, Mikhail Pavlovich Matveev, aka Wazawaka, aka m1x, aka Boriselcin, aka Uhodiransomwar, allegedly participated in conspiracies to deploy three ransomware variants,” the DOJ said in a statement.

The three variants are LockBit, Babuk, and Hive, and Matveev transmitted ransom demands in connection with each. The three ransomware groups’ victims include law enforcement and other government agencies, hospitals, and schools.

Matveev is charged with conspiring to transmit ransom demands, conspiring to damage protected computers, and intentionally damaging protected computers. If convicted, he faces over 20 years in prison.

$400 million demanded in ransom

Total ransom demands allegedly made by the members of these three global ransomware campaigns from their victims amount to as much as $400 million. While total victim ransom payments amount to as much as $200 million, the DOJ said. 

The LockBit ransomware variant first appeared in January 2020. Threat actors behind the LockBit ransomware have executed over 1,400 attacks against victims in the US and around the world, demanding over $100 million in ransom and receiving over $75 million in ransom payments.

 “On or about June 25, 2020, Matveev and his LockBit coconspirators allegedly deployed LockBit ransomware against a law enforcement agency in Passaic County, New Jersey,” the DOJ said.

The Babuk ransomware variant first appeared around December 2020. Babuk actors executed over 65 attacks against victims in the US and around the world, demanding over $49 million in ransom demands and receiving as much as $13 million in ransom payments.

“On April 26, 2021, Matveev and his Babuk coconspirators allegedly deployed Babuk against the Metropolitan Police Department in Washington, DC,” the DOJ said. 

Since June 2021, the Hive ransomware group has targeted more than 1,400 victims around the world and received as much as $120 million in ransom payments. 

“On or about May 27, 2022, Matveev and his Hive coconspirators allegedly deployed Hive against a nonprofit behavioral healthcare organization headquartered in Mercer County, New Jersey,” the DOJ said. 

The LockBit, Babuk, and Hive ransomware variants operate in the same manner. First, the ransomware actors identify and unlawfully access vulnerable computer systems, either through their own hacking or by purchasing stolen access credentials from others.

Then the threat actors would deploy the ransomware variant within the victim’s computer system, allowing the actors to encrypt and steal data. After this, the actors send a ransom note to the victim demanding payment in exchange for decrypting the victim’s data or refraining from sharing it publicly. If a victim does not pay, ransomware actors would often post that victim’s data on their data leak site.

Focus on Russia

Russia is a haven for ransomware actors, enabling cybercriminals like Matveev to engage openly in ransomware attacks against US organizations, according to a release by the US Department of the Treasury. 

About 75% of ransomware-related incidents reported between July and December 2021 were linked to Russia, its proxies, or persons acting on its behalf, according to Treasury’s Financial Crimes Enforcement Network. 

“The United States will not tolerate ransomware attacks against our people and our institutions,” Secretary of the Treasury for Terrorism and Financial Intelligence Brian E Nelson, said in a press note.

“Ransomware actors like Matveev will be held accountable for their crimes, and we will continue to use all available authorities and tools to defend against cyber threats,” Nelson added.