A notorious Russian cybercriminal who was identified by KrebsOnSecurity in January 2022 as a prolific member of several top ransomware groups has been named in two separate indictments issued by the US Justice Department. Mikhail Pavolovich Matveev, known by his online aliases “Wazawaka” and “Boriselcin,” is accused of collaborating with three different ransomware gangs that extorted hundreds of millions of dollars from schools, hospitals, government agencies, and companies.
According to indictments filed in New Jersey and the District of Columbia, Matveev was involved in a conspiracy to distribute ransomware from three different strains or affiliate groups, including Babuk, Hive, and LockBit. The prosecutors allege that Matveev and his LockBit conspirators deployed LockBit ransomware against a law enforcement agency in Passaic County, New Jersey, on June 25, 2020. On May 27, 2022, Matveev worked with Hive to ransom a nonprofit behavioral healthcare organization headquartered in Mercer County, New Jersey. And on April 26, 2021, Matveev and his Babuk gang allegedly deployed ransomware against the Metropolitan Police Department in Washington, D.C.
Matveev has been added to the US Department of Treasury’s list of persons with whom it is illegal to transact financially. The US State Department is offering a $10 million reward for the capture and/or prosecution of Matveev. However, he is unlikely to face either as long as he continues to reside in Russia, as he has stated in the past during a January 2021 discussion on a top Russian cybercrime forum. In that discussion, Matveev, under his alleged alter ego Wazawaka, said he had no plans to leave the protection of “Mother Russia.” He believes that traveling abroad is not an option for him, and that Russia would always protect him.
The prosecutors allege that Matveev used a dizzying stream of monikers on the cybercrime forums, including “Boriselcin,” a talkative and brash personality who was simultaneously the public persona of Babuk, a ransomware affiliate program that surfaced on New Year’s Eve 2020. Previous reporting also revealed that Matveev’s alter egos included “Orange,” the founder of the RAMP ransomware forum.
RAMP stands for “Ransom Anon Market Place, and analysts at the security firm Flashpoint say the forum was created “directly in response to several large Dark Web forums banning ransomware collectives on their site following the Colonial Pipeline attack by ransomware group ‘DarkSide.’” Matveev’s alleged cybercriminal handles were all driven by a community-oriented view that when organizations being held for ransom refuse to cooperate or pay up, data stolen from the victim should be published on Russian cybercrime forums for all to plunder, not privately sold to the highest bidder.
As per the indictments returned against him, Matveev is charged with conspiring to transmit ransom demands, conspiring to damage protected computers, and intentionally damaging protected computers. If convicted, he faces more than 20 years in prison.
Furthermore, it is worth noting that in February 2022, a man who appeared to be identical to the social media photos of Matveev began posting on Twitter a series of bizarre selfie videos in which he lashed out at security journalists and researchers, including the author of this article. While using the same Twitter account, Matveev also dropped exploit code for a widely-used virtual private networking (VPN) appliance.
In conclusion, the indictments delivered by the US Justice Department on Mikhail Pavolovich Matveev, alias “Wazawaka” and “Boriselcin,” are part of the United States’ efforts to bring criminals to justice. Although it is still unclear whether the indictments will lead to his arrest and conviction, the US government is making it clear that they will not tolerate Russian cybercriminals targeting US-based organizations for ransomware attacks.