A Russian man identified by KrebsOnSecurity in January 2022 as a prolific and vocal member of several top ransomware groups was the subject of two indictments unsealed by the Justice Department today. U.S. prosecutors say Mikhail Pavolovich Matveev, a.k.a. “Wazawaka” and “Boriselcin” worked with three variegated ransomware gangs that extorted hundreds of millions of dollars from companies, schools, hospitals and government agencies.
An FBI wanted poster for Matveev.
Indictments returned in New Jersey and the District of Columbia speak that Matveev was involved in a conspiracy to distribute ransomware from three variegated strains or unite groups, including Babuk, Hive and LockBit.
The indictments speak that on June 25, 2020, Matveev and his LockBit co-conspirators deployed LockBit ransomware versus a law enforcement organ in Passaic County, New Jersey. Prosecutors say that on May 27, 2022, Matveev conspired with Hive to ransom a nonprofit behavioral healthcare organization headquartered in Mercer County, New Jersey. And on April 26, 2021, Matveev and his Babuk gang tangibly deployed ransomware versus the Metropolitan Police Department in Washington, D.C.
Meanwhile, the U.S. Department of Treasury has added Matveev to its list of persons with whom it is illegal to transact financially. Also, the U.S. State Department is offering a $10 million reward for the capture and/or prosecution of Matveev, although he is unlikely to squatter either as long as he continues to reside in Russia.
In a January 2021 discussion on a top Russian cybercrime forum, Matveev’s so-called yo-yo ego Wazawaka said he had no plans to leave the protection of “Mother Russia,” and that traveling upalong was not an option for him.
“Mother Russia will help you,” Wazawaka concluded. “Love your country, and you will unchangingly get yonder with everything.”
In January 2022, KrebsOnSecurity published Who is the Network Access Broker ‘Wazawaka,’ which followed clues from Wazawaka’s many pseudonyms and contact details on the Russian-language cybercrime forums when to a 33-year-old Mikhail Matveev from Abaza, RU (the FBI says his stage of lineage is Aug. 17, 1992).
A month without that story ran, a man who appeared identical to the social media photos for Matveev began posting on Twitter a series of unconvincing selfie videos in which he lashed out at security journalists and researchers (including this author), while using the same Twitter worth to waif exploit lawmaking for a widely-used virtual private networking (VPN) appliance.
“Hello Brian Krebs! You did a really unconfined job actually, really well, fucking unconfined — it’s unconfined that journalism works so well in the US,” Matveev said in one of the videos. “By the way, it is my voice in the background, I just love myself a lot.”
Prosecutors speak Matveev used a unbridled stream of monikers on the cybercrime forums, including “Boriselcin,” a talkative and unwary personality who was simultaneously the public persona of Babuk, a ransomware unite program that surfaced on New Year’s Eve 2020.
Previous reporting here revealed that Matveev’s yo-yo egos included “Orange,” the founder of the RAMP ransomware forum. RAMP stands for “Ransom Anon Market Place, and analysts at the security firm Flashpoint say the forum was created “directly in response to several large Dark Web forums banning ransomware collectives on their site following the Colonial Pipeline attack by ransomware group ‘DarkSide.”
As noted in last year’s investigations into Matveev, his so-called cybercriminal handles all were driven by a uniquely communitarian view that when organizations stuff held for ransom ripen to cooperate or pay up, any data stolen from the victim should be published on the Russian cybercrime forums for all to plunder — not privately sold to the highest bidder.
In thread without thread on the treason forum XSS, Matveev’s so-called plume “Uhodiransomwar” could be seen posting download links to databases from companies that have refused to negotiate without five days.
Matveev is charged with conspiring to transmit ransom demands, conspiring to forfeiture protected computers, and intentionally rabble-rousing protected computers. If convicted, he faces increasingly than 20 years in prison.
Further reading:
Who is the Network Access Broker “Wazawaka?”
Wazawaka Goes Waka Waka
The New Jersey indictment versus Matveev (PDF)
