He goes by many names, according to the US Department of Justice.
Mikhail Pavlovich Matveev, or just plain Matveev as he’s repeatedly referred to in his indictment, as well as Wazawaka, m1x, Boriselcin and Uhodiransomwar.
From that last alias, you can guess what he’s wanted for.
In the words of the charge sheet: conspiring to transmit ransom demands; conspiring to damage protected computers; and intentionally damaging protected computers.
Simply put, he’s accused of carrying out or enabling ransomware attacks, notably using three different malware strains known as LockBit, Hive, and Babuk.
Babuk makes regular headlines these days because its source code was released back in 2021, soon finding its way onto Github, where you can download it still.
Babuk therefore serves as a sort-of instruction manual that teaches (or simply enables, for those who don’t feel the need to understand the cryptographic processes involved) would-be cybercrimals how to handle the “we can decrypt this but you can’t, so pay us the blackmail money or you’ll never see your data again” part of a ransomware attack.
In fact, the Babuk source code includes options for malicious file scrambling tools that target Windows, VMWare ESXi, and Linux-based network attached storage (NAS) devices.
Three specific attacks in evidence
The US indictment explicitly accuses Matveev of two ransomware attacks in the State of New Jersey, and one in the District of Columbia (the US federal capital).
The alleged attacks involved the LockBit malware unleashed against law enforcement in Passaic County, New Jersey, the Hive malware used against a healthcare organisation in Mercer County, New Jersey, and a Babuk attack on the Metropolitan Police Department in Washington, DC.
According to the DOJ, Matveev and his fellow conspirators…
…allegedly used these types of ransomware to attack thousands of victims in the United States and around the world. These victims include law enforcement and other government agencies, hospitals, and schools. Total ransom demands allegedly made by the members of these three global ransomware campaigns to their victims amount to as much as $400 million, while total victim ransom payments amount to as much as $200 million.
With that much at stake, it’s perhaps not surprising that the DOJ’s press release concludes by reporting that:
The [US] Department of State has also announced an award of up to $10 million for information that leads to the arrest and/or conviction of this defendant. Information that may be eligible for this award can be submitted at tips.fbi.gov or RewardsForJustice.net.
Interestingly, Matveev has also been declared a “designated” individual, meaning that he’s subject to US sanctions, and therefore presumably also that US businesess aren’t allowed to send him money, which we’re guessing prohibits Americans from paying any ransomware blackmail demands that he might make.
Of course, with the ransomware crime ecosystem largely operating under a service-based or franchise-style model these days, it seems unlikely that Matveev himself would directly ask for or receive any extortion money that was paid out, so it’s not clear what effect this sanction will have on ransomware payments, if any.
What to do?
If you do suffer the misfortune of having your files scrambled and held to ransom…
…do bear in mind the findings of the Sophos State of Ransomware Report 2023, where ransomware victims revealed that the median average cost of recovering by using backups was $375,000, while the median cost of paying the crooks and relying on their decryption tools instead was $750,000. (The mean averages were $1.6m and $2.6m respectively.)
As we put it in the Ransomware Report:
Whichever way you look at the data, it is considerably cheaper to use backups to recover from a ransomware attack than to pay the ransom. […] If further evidence is needed of the financial benefit of investing in a strong backup strategy, this is it.
In other words, sanctions or no sanctions, paying the ransomware criminals isn’t the end of your outlay when you need to recover in a hurry, because you need to add the cost of actually using those decryption tools onto the blackmail money you paid up in the first place.
A DAY IN THE LIFE OF A CYBERCRIME FIGHTER
Once more unto the breach, dear friends, once more!
Peter Mackenzie, Director of Incident Response at Sophos, talks about real-life cybercrime fighting in a session that will alarm, amuse and educate you, all in equal measure. (Full transcript available.)
Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud.
Laurence Marks
“Passai County, New Jersey.” That would be Passaic County, if you please.
Paul Ducklin
Fixed, thanks!
15km NW of the Empire State Building, apparently, if that helps anyone from out of town fix a bearing on it in their mind.
(I am naively, if perhaps rudely, assuming that many more tourists have visited the Empire State Building than have taken a tour of Passaic, if only because Art Deco is a Thing.)
Paul Dodd
Perhaps Ukrainian hackers can go after Matveev and Russian hackers in general. The $10 million is more than the normal payout. Not sure if the FBI would be allowed to pay the reward to Russian individuals.
Paul Ducklin
I don’t think this reward is payable from FBI funds. It’s a Department of State thing, legally authorised and regulated separately from the law enforcement agencies themselves.
https://www.federalregister.gov/documents/2015/04/02/2015-07788/blocking-the-property-of-certain-persons-engaging-in-significant-malicious-cyber-enabled-activities
“Executive Order 13694 of April 1, 2015: Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities.”
I think this sort of reward is theoretically payable to people who might otherwise be off-limits for regular financial transactions, as a way to try to reach out to would-be whistleblowers, turncoats, aggrieved parties, and so on, all around the world.
(If I were POTUS I would have waited until the next day to sign it, just to avoid silly comments from everyone for evermore.)