With Few Options, US Sanctions Ransomware Operator


May 17, 2023

World map

The U.S. government has indicted and issued sanctions against a Russian national for his role in ransomware attacks against U.S. critical infrastructure targets including law enforcement agencies.

Mikhail Matveev, aka Wazawaka” and “Boriselcin,” has been identified as a key player in the development of the Hive, LockBit, and Babuk ransomware variants, as well as being connected to the Conti ransomware gang.

“In 2021, Matveev claimed responsibility for a ransomware attack against the Metropolitan Police Department in Washington, D.C, according to the U.S. Justice Department. The cyberattack saw the Babuk ransomware gang, which Matveev was allegedly a member of since early 2020, infiltrate the police department’s systems to steal the personal details of police officers, along with sensitive information about gangs, suspects of crimes and witnesses,” TechCrunch reports.

“These three ransomware gangs are believed to have targeted thousands of victims in the United States. According to the Justice Department, the LockBit ransomware gang has carried out over 1,400 attacks, issuing more than $100 million in ransom demands and receiving over $75 million in ransom payments. Babuk has executed over 65 attacks and has received $13 million in ransom payments, while Hive has targeted more than 1,500 victims around the world and received as much as $120 million in ransom payments.”

Takeaway: The announcement that the US government is charging and sanctioning Russian national Mikhail Matveev is welcome news, and we hope to see more such actions taken to help stem this epidemic of ransomware attacks.  

While we have seen some arrests here and there of affiliates and other low-level threat actors in the space, Matveev is on another level, having been connected to some of the most prolific ransomware operations, including Conti, Hive, LockBit, and Babuk.

One thing these groups have in common - aside from Matveev's alleged involvement - is their propensity to hit targets in key critical infrastructure sectors. A wide variety of industries fall under the critical infrastructure umbrella, some with the potential to cause widespread disruptions if successfully targeted by these threat actors, as we saw with the DarkSide attack on Colonial Pipeline back in the spring of 2021 that shut down fuel supplies on the East coast of the US for several days.  

That attack apparently crossed a line with the ransomware operator's Russian-aligned overlords, and the DarkSide operation was quickly shuttered. But this outcome was likely only because it turned up the heat on the Putin regime, and Putin probably did not like to hear his name invoked in the same news conference that was discussing the attack. It's likely that the Russians did not want to reveal just how disruptive a ransomware attack can be - yet.

As Cyber evolved into a theater of operations militarily, conventional thinking is that a major attack on critical infrastructure would likely only come as part of a larger operation that included traditional kinetic warfare. But this is in the context of nation-to-nation conflicts at the direction of governments. But this weird overlap of cybercriminal activity with nation-state-supported operations we see with the Russian ransomware model - that conveniently allows for plausible deniability on the part of the nation-state actor - means we have elements acting that are not necessarily under the direct control of a government.

In the case of Colonial Pipeline, it may well have been an affiliate actor who conducted the attack, subsequently getting slapped down by the Russians for the overreach in their targeting. Nonetheless, the attack demonstrated that our nation's critical infrastructure is extremely vulnerable to such disruptions.

The US government is in a tough position regarding what actions to take to stem this wave of ransomware attacks, namely because there is so much ambiguity in determining root attribution for the attacks. These actions against Matveev are a good start, but even if he is arrested, there will quickly be someone to take his place. Ultimately, it's the Russian government that is both providing safe harbor for criminal elements conducting ransomware attacks with impunity and is very likely influencing some of their targeting.

Until the US government directly sanctions the Putin regime for their direct or tacit support, we will not see this spate of ransomware attacks abate any time soon. It's only a matter of time before we see another massively disruptive attack against a critical infrastructure target.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.