The Department of Justice (DoJ) has charged Mikhail Pavlovich Matveev, a Russian national better known by his hacker handle Wazawaka, for allegedly acting as a key figure in the development and deployment of multiple ransomware families that have impacted critical infrastructure victims across the U.S.
According to the DoJ, since 2020 Matveev has used three well-known different ransomware variants - LockBit, Babuk and Hive - to target law enforcement agencies such as the Metropolitan Police Department in Washington, D.C. and an agency in Passaic County, New Jersey; as well as victims in government agencies, hospitals (including a nonprofit behavioral healthcare organization) and schools. The ransom demands for these attacks have amounted to $400 million, and total victim payments have amounted to $200 million.
At the same time, the Treasury Department’s Office of Foreign Assets Control (OFAC) on Tuesday sanctioned Matveev for his alleged role in launching ransomware attacks. OFAC sanctions have previously been used by the U.S. to create headaches for cybercriminals like Trickbot or the individuals behind the Sodinokibi/REvil ransomware attacks by barring any dealings or transactions with U.S. entities.
“OFAC designations make it more difficult for threat actors like Matveev to collect ransom payments, because if there is even a hint that he is a sanctioned entity, reputable negotiation and payment firms will not authorize a ransom payment,” said Allan Liska, threat intelligence analyst at Recorded Future. “It can also make it more difficult for Matveev to launder any money he does collect. Having millions of dollars in cryptocurrency doesn't do you a lot of good if you can't spend it.”
“OFAC designations make it more difficult for threat actors like Matveev to collect ransom payments, because if there is even a hint that he is a sanctioned entity, reputable negotiation and payment firms will not authorize a ransom payment."
The DoJ’s charges shed light on exactly how prevalent the LockBit, Hive and Babuk ransomware families are. LockBit, which first appeared in 2020, has executed 1,400 attacks against U.S. and global victims, asking for over $100 million in ransom demands and receiving $75 million in ransom payments. Hive has targeted over 1,400 victims globally and received as much as $120 million in ransom payments since June 2021. And Babuk, which first appeared in 2020, has been executed in over 65 attacks, with over $49 million in ransom demands and $13 million in ransom payments.
Matveev faces 20 years in prison if convicted for the DoJ’s charges, which include conspiring to transmit ransom demands, conspiring to damage protected computers and intentionally damaging protected computers. At the same time, the Department of State also posted an award of up to $10 million for information leading to his arrest or conviction.
While the charges may not have an immediate impact, as Matveev’s residence in Russia means he is protected in a safe haven country where he can freely conduct cyberattacks against the U.S., Liska said the U.S. government’s announcement this week puts pressure on the cybercriminal.
“The indictments revealed how much information the government has on Matveev (though not everything they know) and the indictment also caused a lot of stir on underground forums,” said Liska. “It also means that Matveev is now permanently tied to Russia, [and] travel is not going to be an option for him.”