A Russian citizen has been indicted and charged by the US Department of Justice (DoJ) for launching ransomware attacks against “thousands of victims” in the country and around the world.
Mikhail Pavlovich Matveev (alias Wazawakam1x, Boriselcin, and Uhodiransomwar), the 30-year-old individual in question, is alleged to have been a “central figure” in the development and deployment of the LockBit, Babuk, and Hive ransomware variants since at least June 2020.
“These victims included law enforcement and other government agencies, hospitals, and schools,” the DoJ said. “The total alleged ransom requests made by members of these three global ransomware campaigns to their victims totaled $400 million, while the total ransom payments made by victims amounted to $200 million.”
LockBit, Babuk, and Hive operate in a similar way, leveraging unauthorized access to extract valuable data and spread ransomware across compromised networks. Threat actors also threaten to publish the stolen information on data leak websites in an attempt to negotiate a ransom amount with the victims.
Matveev has been charged with conspiring to send ransom demands, conspiring to harm protected computers, and knowingly damaging protected computers. If convicted, which is unlikely, he faces more than 20 years in prison.
The US Department of State also has announced reward of up to $10 million for information leading to Matveev’s arrest and/or conviction.
Separately, the Ministry of Finance’s Office of Foreign Assets Control (OFAC) announced sanctions against the accused, state “His illicit activities will be tolerated by local authorities provided he remains loyal to Russia.”
According to cybersecurity journalist Brian Krebs, including one of Matveev’s alter egos Orangewhich the accused used to set up the now defunct Russian Anonymous Marketplace (aka RAMP) darknet forum.
Despite a flurry of law enforcement action to crack down on the cybercrime ecosystem in recent years, ransomware-as-a-service (RaaS) continues to be a profitable model, offering affiliates high profit margins without having to develop and maintain the malware themselves.
The financial mechanics associated with RaaS have also lowered the barrier to entry for would-be cybercriminals, who can leverage the services offered by ransomware developers to carry out attacks and pocket the lion’s share of the illegal profits.
Australian and US authorities released BianLian ransomware alerts
The developments come as the US and Australian cybersecurity agencies released a joint advisory on the BianLian Ransomware, a dual blackmail group that has been targeting several critical infrastructure, professional services and property development sectors since June 2022.
“Groups gain access to victim systems through valid Remote Desktop Protocol (RDP) credentials, use open source tools and command line scripts for credential discovery and harvesting, and extract victim data via File Transfer Protocol (FTP), Rclone, or Mega,” According to advisor.
Czech cybersecurity firm Avast earlier this year published a free decryptor for the BianLian ransomware to help malware victims recover locked files without having to pay threat actors.
The security bulletin also arrives amid the emergence of a new strain of ransomware dubbed LokiLocker which has similarities to another locker called BlackBit and has been observed to be actively targeting entities in South Korea.