The Department of Justice (DoJ) has charged a Russian man over his links to major ransomware groups, offering a $10 million award for information that assists his arrest.
Mikhail Pavlovich Matveev, a 30-year-old Russian national, was charged over intentionally damaging protected computers, as well as conspiracy to damage protected computers and to transmit ransom demands.
He is alleged to have helped deploy the LockBit, Hive, and Babuk ransomware variants to extort money from US and international organizations.
According to the FBI, Matveev is known to have links to both Kaliningrad and St. Petersburg in Russia, where he is understood to reside.
It has long been established that cyber criminals operating in Russia will escape criminal penalties, providing they don’t attack the Russian government or any organizations operating in the country.
Many ransomware groups operate out of Russia due to these ‘safe harbor’ protections. They often never leave the country due to fears of being arrested in territories that have extradition agreements with major powers in the West, and rarely meet criminal punishments as a result.
The DoJ has alleged that on or around 25 June 2020, Matveev and other LockBit operators used the ransomware strain against a New Jersey-based law enforcement agency.
It additionally linked him to a 2021 Babuk attack on the DC police department
HP Wolf Security: Threat insights report
Equipping security teams with the knowledge to combat emerging threats
“From his home base in Russia, Matveev allegedly used multiple ransomware variants to attack critical infrastructure around the world, including hospitals, government agencies, and victims in other sectors,” said Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division.
“These international crimes demand a coordinated response. We will not relent in imposing consequences on the most egregious actors in the cyber crime ecosystem.”
In its official wanted notice for Matveev, the FBI listed his known aliases as ‘Wazawaka’, ‘Boriscelcin’, ‘m1x’, and ‘Uhodiransomwar’.
Any individual in possession of information that leads to Matveev’s arrest or conviction has been urged to submit a tip to the FBI.
The FBI’s Newark Field Office Cyber Crimes Task Force has been put in charge of the case in coordination with a number of European agencies, including the UK’s National Crime Agency.
What are LockBit, Hive, and Babuk?
Both LockBit and Hive are ransomware as a service (RaaS) groups are known for following a double extortion method and are among the most notorious in operation.
The Babuk group is now believed to have retired, but at its peak was linked to attacks such as one on NHS outsourcing firm Serco, and received up to $13 million in paid ransoms.
The DoJ has estimated that victims have paid the three groups a combined $200 million in ransom over the years.
LockBit made headlines in recent months for an attack against Royal Mail International, for which it initially demanded and $81 million (£65 million) ransom.
Following talks, LockBit leaked 44GB of the firm’s data including salary information, contracts, and vaccine records, and lowered its ransom to $41 million (£33 million).
It has targeted firms such as digital transformation company Orion Innovation and in December attacked a Canadian children’s hospital, an act for which it issued a rare apology and provided a free decryptor.
After falling prey to DDoS attacks, the group had pledged to be ‘more aggressive’ and its strain LockBit 3.0 accounted for 35% of all ransomware activity in Q3 2022.
Hive has been linked to a range of high-profile security incidents in the last year, including an attack on French telco giant Altice, the encryption of systems at Indian energy leader Tata Power, and a widespread assault on Costa Rican healthcare systems.
Microsoft warned in July 2022 that Hive’s new variant was more sophisticated, having adopted the programming language Rust in its payload executable for improved memory safety and efficiency.
In January, the FBI confirmed a takedown of Hive ransomware operations, though this was deemed unlikely to have lasting effects.
