Russian national charged with ransomware attacks against critical infrastructure

May 17, 2023
Federal prosecutors allege Mikhail Pavlovich Matveev participated in conspiracies to deploy the LockBit, Babukand Hive variants, and transmitted ransom demands in connection with the deployments.

The U.S. Department of Justice has unsealed two indictments charging a Russian national and resident with using three different ransomware variants to attack law enforcement agencies, healthcare, schools and other sectors.

Since 2020, federal prosecutors allege, Mikhail Pavlovich Matveev – a.k.a. Wazawaka, akam1x, Boriselcin and Uhodiransomwar, participated in conspiracies to deploy the LockBit, Babukand Hive variants, and transmitted ransom demands in connection with the deployments.

Matveev is charged with conspiring to transmit ransom demands, conspiring to damage protected computers, and intentionally damaging protected computers. If convicted, he faces over 20 years in prison.

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) said it’s designating Matveev for his role in launching ransomware attacks against U.S. law enforcement, businesses, and critical infrastructure. The State Department also announced an award of up to $10 million for information that leads to the arrest and/or conviction of Matveev. Information that may be eligible for this award can be submitted at tips.fbi.gov.

The total ransom demands allegedly made by the members of these three global ransomware campaigns to their victims amounted to as much as $400 million, while total victim ransom payments amounted to as much as $200 million, the DOJ said.

Prosecutors said Matveev and his LockBit co-conspirators allegedly deployed LockBit ransomware against a law enforcement agency in Passaic County, N.J. in 2022, and last year Matveev and his Hive co-conspirators allegedly deployed Hive against a nonprofit behavioral healthcare organization headquartered in Mercer County, N.J. Matveev and his Babuk coconspirators allegedly deployed Babuk against the Metropolitan Police Department in Washington D.C. in 2021, prosecutors  allege.

“Thanks to the extraordinary investigative work of prosecutors from my office and our FBI partners, Matveev no longer hides in the shadows,” said U.S. Attorney Philip R. Sellinger for the District of New Jersey. “Let these charges be a reminder to cybercriminals everywhere – my office is devoted to combatting cybercrime and will spare no resources in bringing to justice those who use ransomware attacks to target victims.”

The LockBit ransomware variant first appeared around January 2020, the FBI said. LockBit actors have executed over 1,400 attacks against victims in the U.S. and globally, issuing over $100 million in ransom demands and receiving over $75 million in ransom payments.

The Babuk ransomware variant first appeared around December 2020. Babuk actors executed over 65 attacks against victims in the U.S. and around the world, issuing over $49 million in ransom demands and receiving as much as $13 million in ransom payments.

Since June 2021, the Hive ransomware group has targeted more than 1,400 victims around the world and received as much as $120 million in ransom payments.

Prosecutors said the LockBit, Babuk, and Hive ransomware variants operate in the same general manner: first, the ransomware actors would identify and unlawfully access vulnerable computer systems, sometimes through their own hacking, or by purchasing stolen access credentials from others.

Second, the actors deploy the ransomware variant within the victim computer system, allowing the actors to encrypt and steal data thereon. Next, the actors would send a ransom note to the victim demanding payment in exchange for decrypting the victim’s data or refraining from sharing it publicly. Finally, the ransomware negotiate a ransom amount with each victim willing to pay. If a victim did not pay, ransomware actors would often post that victim’s data on a public website, often called a data leak site.

The FBI Newark Field Office’s Cyber Crimes Task Force is investigating the case with the assistance of the Jersey City Police Department, New Jersey State Police, Newark IRS Criminal Investigation, and international partners from Europe, Japan, France, U.K., Switzerland, Germany, Spain, Norway, Sweden and the Netherlands.

Victims of LockBit, Babuk or Hive ransomware should contact their local FBI field office for further information. For additional information on ransomware, including the LockBit, Babuk, and Hive variants, please visit StopRansomware.gov.