U.S. Offers $10 Million Bounty for Capture of Notorious Russian Ransomware Operator

May 17, 2023Ravie LakshmananCyber Crime / Ransomware

A Russian national has been charged and indicted by the U.S. Department of Justice (DoJ) for launching ransomware attacks against “thousands of victims” in the country and across the world.

Mikhail Pavlovich Matveev (aka Wazawaka, m1x, Boriselcin, and Uhodiransomwar), the 30-year-old individual in question, is alleged to be a “central figure” in the development and deployment of LockBit, Babuk, and Hive ransomware variants since at least June 2020.

“These victims include law enforcement and other government agencies, hospitals, and schools,” DoJ said. “Total ransom demands allegedly made by the members of these three global ransomware campaigns to their victims amount to as much as $400 million, while total victim ransom payments amount to as much as $200 million.”

LockBit, Babuk, and Hive operate alike, leveraging unlawfully obtained access to exfiltrate valuable data and deploy ransomware on compromised networks. The threat actors also threaten to publicize the stolen information on a data leak site in an attempt to negotiate a ransom amount with victims.

Matveev has been charged with conspiring to transmit ransom demands, conspiring to damage protected computers, and intentionally damaging protected computers. If convicted, which is unlikely, he faces over 20 years in prison.

The U.S. State Department has also announced an award of up to $10 million for information that leads to the arrest and/or conviction of Matveev.

Separately, the Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions against the defendant, stating “his illicit activities will be tolerated by local authorities provided that he remains loyal to Russia.”

According to cybersecurity journalist Brian Krebs, one of Matveev’s alter egos included Orange, which the defendant used to establish the now-defunct Russian Anonymous Marketplace (aka RAMP) darknet forum.

Despite the flurry of law enforcement actions to crack down on the cybercrime ecosystem in recent years, the ransomware-as-a-service (RaaS) model continues to be a lucrative one, offering affiliates high-profit margins without having to develop and maintain the malware themselves.

The financial mechanics associated with RaaS has also lowered the barrier to entry for aspiring cybercriminals, who can avail the services offered by the ransomware developers to mount the attacks and pocket the lion’s share of the illicit profits.

Australian and U.S. authorities release BianLian ransomware alert

The development comes as U.S. and Australian cybersecurity agencies released a joint advisory on BianLian ransomware, a double extortion group that has targeted several critical infrastructure, professional services, and property development sectors since June 2022.

“The group gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega,” according to the advisory.

Czech cybersecurity firm Avast, earlier this year, published a free decryptor for BianLian ransomware to help victims of the malware recover locked files without having to pay the threat actors.

The security bulletin also arrives amid the emergence of a new ransomware strain dubbed LokiLocker that shares similarities with another locker called BlackBit and has been observed actively targeting entities in South Korea.