US Formally Charges Russian Hacker Behind Global Ransomware Attacks

May 17, 2023 - The United States government offered a $10 million reward for information leading to the arrest of Mikhail Pavlovich Matveev, a Russian hacker accused of multiple ransomware attacks on US critical infrastructure, among them a nonprofit behavioral healthcare organization.

The newly unsealed indictment revealed that Matveev, also known under the aliases Wazawaka, m1x, Boriselcin, and Uhodiransomwar, faces multiple charges involving ransom demands, conspiracy to damage protected computers, and intentionally damaging protected computers. If convicted, the Russian hacker could face a maximum penalty of over 20 years in prison.

In parallel with the criminal charges, the US Treasury imposed sanctions, blocking Matveev from conducting any financial transactions in the United States.

The investigation into Matveev involved the FBI, IRS, local law enforcement in DC and New Jersey, and authorities from Japan, the UK, France, Germany, and the EU.

Starting as early as 2020, Matveev allegedly targeted law enforcement and healthcare organizations in the United States on multiple occasions, establishing partnerships with notorious threat actors to deploy s Hive, LockBit, and Babuk ransomware.

“From Russia and hiding behind multiple aliases, Matveev is alleged to have used these ransomware strains to encrypt and hold hostage for ransom the data of numerous victims, including hospitals, schools, nonprofits, and law enforcement agencies, like the Metropolitan Police Department in Washington, DC,” said US Attorney Philip R. Sellinger for the District of New Jersey.

In the earliest involvements of the Russian attackers, around June 25, 2020, they allegedly initiated a cyberattack using LockBit ransomware against a law enforcement agency located in Passaic County, New Jersey.

As stated in the indictment, one of their most notable cases involved Matveev's deployment of Babuk ransomware in an attack against the Metropolitan Police Department in April 2021. During this incident, he threatened to publicly disclose sensitive information unless a rapid ransom payment of $4 million was made to prevent the agency's data from being leaked. Despite the ransom demand, the obtained data was leaked onto the internet.

The emergence of the Babuk ransomware variant dates back to December 2020. It has been responsible for executing over 65 attacks against victims worldwide, including numerous targets in the United States. The attackers issued ransom demands surpassing $49 million, with ransom payments totaling as much as $13 million.

It also came to light that a nonprofit behavioral healthcare organization located in Mercer County, New Jersey, was among the alleged victims of Matveev. In May 2022, Matveev and the Hive ransomware group allegedly initiated an attack against the organization.

Since June 2021, the Hive ransomware group has targeted over 1,400 victims worldwide and amassed up to $120 million in ransom payments.

“Data theft and extortion attempts by ransomware groups are corrosive, cynical attacks on key institutions and the good people behind them as they go about their business and serve the public,” said U.S. Attorney Matthew M. Graves for the District of Columbia. “Whether these criminals target law enforcement, other government agencies, or private companies like health care providers, we will use every tool at our disposal to prosecute and punish such offenses. Thanks to exceptional work by our partners here, we identified and charged this culprit.”

The LockBit, Babuk, and Hive ransomware variants shared a common approach, employing a double extortion strategy to target organizations and extract sensitive data. They typically gain unauthorized access to vulnerable computer systems through hacking or acquiring stolen credentials. Once inside, the ransomware was deployed, encrypting and extracting data from the victim's system. The actors then demanded payment to decrypt the data or prevent its public disclosure. Negotiations for ransom amounts occurred with willing victims, while those who refused to pay often had their data posted on public data leak sites.

“The FBI is steadfast in our commitment to disrupting cybercriminals like Matveev,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. “The FBI will continue to impose costs on cyber adversaries through our joint collaboration with our private sector and international partners, and we will not tolerate these criminal acts against American citizens.”