US sanctions Russian accused of being a 'central figure' in major ransomware attacks

The U.S. government has indicted a Russian national for his alleged role in ransomware attacks against U.S. law enforcement and critical infrastructure.

U.S. authorities accuse Mikhail Matveev, also known online as “Wazawaka” and “Boriselcin,” of being a "central figure" in developing and deploying the Hive, LockBit and Babuk ransomware variants.

In 2021, Matveev claimed responsibility for a ransomware attack against the Metropolitan Police Department in Washington, D.C, according to the U.S. Justice Department. The cyberattack saw the Babuk ransomware gang, which Matveev was allegedly a member of since early 2020, infiltrate the police department's systems to steal the personal details of police officers, along with sensitive information about gangs, suspects of crimes and witnesses.

Matveev and his co-conspirators also deployed LockBit ransomware against a law enforcement agency in New Jersey's Passaic County in June 2020, according to prosecutors, and deployed Hive ransomware against a nonprofit behavioral healthcare organization headquartered in nearby Mercer County in May 2020.

These three ransomware gangs are believed to have targeted thousands of victims in the United States. According to the Justice Department, the LockBit ransomware gang has carried out over 1,400 attacks, issuing more than $100 million in ransom demands and receiving over $75 million in ransom payments. Babuk has executed over 65 attacks and has received $13 million in ransom payments, while Hive has targeted more than 1,500 victims around the world and received as much as $120 million in ransom payments.

Matveev is also believed to have links to the Russia-backed Conti ransomware gang. The Russian national is believed to have claimed responsibility for the ransomware attack on the government of Costa Rica, which saw Conti hackers demand $20 million in a ransom payment — along with the overthrow of the Costa Rican government.

According to the U.S. Treasury, which announced sanctions against the Russian national on Tuesday, Matveev has also been linked to other ransomware intrusions against numerous U.S. businesses, including a U.S. airline. The Treasury added that Matveev has been vocal about his illegal activities, providing insight into his cybercrimes in media interviews and disclosing exploit code to online criminals. The sanctions make it illegal for U.S. businesses or individuals to transact with Matveev, a tactic often used to discourage Americans from paying ransom demands.

“The United States will not tolerate ransomware attacks against our people and our institutions,” said Brian E. Nelson, the Treasury under secretary for terrorism and financial Intelligence. “Ransomware actors like Matveev will be held accountable for their crimes, and we will continue to use all available authorities and tools to defend against cyber threats.”

Matveev is charged with conspiring to transmit ransom demands, conspiring to damage protected computers and intentionally damaging protected computers. If convicted, he faces over 20 years in prison. The Department has announced an award of up to $10 million for information that leads to his arrest or conviction.