U.S. authorities announced criminal charges, economic sanctions and a $10 million reward Tuesday for information leading to the arrest of a Russian man accused of participating in a global ransomware campaign called Babuk, whose victims allegedly included the D.C. police department, an airline and other American industries.
The Department of the Treasury imposed an economic ban on financial dealings with Mikhail Matveev, calling him a central figure in launching cyberattacks against U.S. law enforcement, businesses and critical infrastructure in 2021.
“The United States will not tolerate ransomware attacks against our people and our institutions,” said Brian E. Nelson, undersecretary of the Treasury for terrorism and financial intelligence. “Ransomware actors like Matveev will be held accountable for their crimes, and we will continue to use all available authorities and tools to defend against cyberthreats.”
According to analysis conducted by Treasury’s Financial Crimes Enforcement Network (FinCEN), 75 percent of ransomware-related incidents reported between July and December 2021 were linked to Russia, its proxies or people acting on its behalf. Matveev is a “key actor” in that system, the department said, helping develop and deploy Russia-linked ransomware variants such as Hive, LockBit and Babuk, with Hive alone targeting more than 1,500 victims in more than 80 countries. The attack targeted hospitals, school districts, financial firms and other critical infrastructure, the department said.
Matveev has also given interviews, disclosed source code to online criminals and said his activities are tolerated by local authorities provided that he remains loyal to Russia, the department said.
In Washington, a newly unsealed indictment alleged that Matveev, 30, of Kaliningrad, Russia, using the online monikers Wazawaka, m1x, Broriscelcin and Uhodiransomwar, committed intentional damage to a protected computer and threats relating to a protected computer. Each charge is punishable by up to 10 years in prison. Matveev was charged with a series of similar crimes in a federal indictment in New Jersey.
“Data theft and extortion attempts by ransomware groups are corrosive, cynical attacks on key institutions and the good people behind them as they go about their business and serve the public,” Matthew Graves, U.S. attorney for D.C., said in a statement with James Dennehy, FBI Newark special agent in charge. “Thanks to exceptional work by our partners here, we identified and charged this culprit.”
According to the indictment, Matveev and Babuk conspirators deployed Babuk ransomware against D.C. police on April 26, 2021, infecting department computer systems, stealing data and extorting the police agency, threatening disclosure of sensitive information unless payment was made, causing at least $5,000 in losses.
Babuk emerged in early 2021 and made contact with D.C. police that April, claiming it had files containing information about gangs and the identities of confidential informants.
After negotiations with District officials broke down, hackers apparently posted stolen documents, including confidential files that could reveal names of suspected gang members and witnesses, and more than three dozen daily intelligence briefings for the chief of police, including raw intelligence on threats after the Jan. 6, 2021, attack on the U.S. Capitol. The group earlier made public internal files dealing with job candidates.
“We publish the full data of the police department,” the group posted in an online warning, saying the District’s proposed payment “amount turned out to be too small,” and taunting, “There is no way back you had very many chances.”
Files chosen included a job applicant’s résumé, a map of the locations of sex crimes, information on the use of facial recognition software, street interview tactics and personal information of more than two dozen officers collected when they applied to the force, including address, phone, financial and medical information.
Brian Krebs, author of the Krebs on Security blog, identified “Wazawaka” in January 2022 as a major access broker in the Russian-speaking cybercrime scene, who initially sold distributed denial-of-service (DDoS) attacks that could cripple websites for $80 a day, before becoming a middleman selling access to organizations and to databases stolen from hacked companies. He claimed that one ransomware affiliate program paid him roughly $500,000 in commissions for the six months leading up to September 2020.
“Come, rob, and get dough!” Krebs quoted a thread started by Wazawaka in March 2020, allegedly selling access to a Chinese company with more than $10 billion in annual revenue.
Wazawaka also claimed that he worked with another group responsible for the Colonial Pipeline hack in 2021, shutting down one of the United States’ biggest fuel pipelines. But, Krebs reported, Wazawaka at the time appeared to believe in publishing victims’ data wholesale on cybercrime forums and not privately selling them to the highest bidder.
The Babuk source code was leaked in September 2021, leading other threat actors to adopt or share its code in attacks in the United States and elsewhere across industries, analysts reported this year.