The inner workings of the ransomware operation headed by Russian national Mikhail Pavlovich Matveev, who was charged by the US government earlier this year for his claimed involvement in thousands of attacks worldwide, have been revealed by cybersecurity researchers.
According to reports, Matveev—who goes by the identities Wazawaka, m1x, Boriselcin, Uhodiransomwar, Orange, and waza—lives in Saint Petersburg and has been involved in the creation and distribution of LockBit, Babuk, and Hive ransomware versions since at least June 2020.
“Wazawaka and his team members prominently exhibit an insatiable greed for ransom payments, demonstrating a significant disregard for ethical values in their cyber operations,” according to a thorough investigation provided to The Hacker News by Swiss cybersecurity firm PRODAFT.
“Employing tactics that involve intimidation through threats to leak sensitive files, engaging in dishonest practices, and persisting in retaining files even after the victim complies with the ransom payment, they exemplify the ethical void prevalent in the practices of traditional ransomware groups.”
The information gathered between April and December 2023 by intercepting thousands of communication records between different threat actors connected to several ransomware strains is what led to PRODAFT’s conclusions.
According to reports, Matawveev is in charge of a group of six penetration testers who carry out the attacks: 777, bobr.kurwa, krbtgt, shokoladniy_zayac, WhyNot, and dushnila. Because there is no hierarchy inside the organisation, individuals are more likely to work together.
“Each individual contributes resources and expertise as needed, showcasing a remarkable level of flexibility in adapting to new scenarios and situations,” PRODAFT stated.
In early 2022, Matveev held a managerial position with the Babuk ransomware group in addition to his work as an affiliate for Conti, LockBit, Hive, Trigona, and NoEscape. He also shared a “complex relationship” with another actor, Dudka, who is probably the developer of Babuk and Monti.
In addition to using a combination of custom and off-the-shelf tools to brute-force VPN accounts, escalate privileges, and streamline their campaigns, Matveev and his team’s attacks rely on known security flaws and initial access brokers to gain a foothold. They also use Zoominfo and services like Censys, Shodan, and FOFA to gather information about the victims.
PRODAFT’s analysis further uncovered connections between Matveev and Evgeniy Mikhailovich Bogachev, a Russian national linked to the development of the GameOver Zeus botnet, which was dismantled in 2014, and Evil Corp.
It’s worth noting that the Babuk ransomware operations rebranded as PayloadBIN in 2021, with the latter tied to Evil Corp in an apparent effort to get around sanctions imposed against it by the U.S. in December 2019.
“This technical association, coupled with the known relationship between Wazawaka and the notorious cybercriminal Bogachev, suggests deeper connections among Wazawaka, Bogachev, and the operations of Evil Corp,” PRODAFT said.