Fraud Management & Cybercrime
,
Ransomware
Mikhail Matveev Indictment Shows Police Tracking Top Alleged Ransomware Affiliates
How many ransomware-wielding hackers can claim among their bona fides to have caused a national cheese shortage, not least in the Gouda-loving Netherlands?
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
Enter Mikhail Matveev, 31, the Russian national whom prosecutors accused of wielding not one but three strains of ransomware.
Two federal indictments unsealed this month accuse Matveev – aka Wazawaka, m1x, Boriselcin, Uhodiransomwar – of operating as an affiliate for the LockBit, Babuk and Hive ransomware groups. Security experts say the indictments are notable because they don’t target ransomware-as-a-service group chiefs but rather a foot soldier who was directly responsible for hacking into victims’ networks and using the ransomware to extort them.
“Matveev is alleged to have used these ransomware strains to encrypt and hold hostage for ransom the data of numerous victims, including hospitals, schools, nonprofits and law enforcement agencies, like the Metropolitan Police Department in Washington, D.C.,” said New Jersey U.S. Attorney Philip R. Sellinger earlier this month, when the indictments were unsealed.
Matveev was also a key member behind Groove, which tested a more affiliate-focused approach to ransomware attacks, as well as an access broker who sold remote access to hacked networks to other criminals, security experts say.
In the Netherlands, Matveev is no doubt better remembered for – allegedly – causing a Dutch cheese shortage in April 2021. That’s when Babuk struck Bakker Logistiek, one of the country’s biggest logistics providers, which supplies hundreds of supermarkets, wholesalers and retailers via refrigerated and air conditioned warehouses and trucks.
The company said key IT systems were crypto-locked, possibly after attackers had gained access via Microsoft Exchange ProxyLogon vulnerabilities, causing a disastrous disruption of Dutch supply chains and leaving cheese counters bare across the nation.
“We could no longer receive orders from customers, and we no longer knew where products were in our warehouses,” Toon Verhoeven, a director at the logistics firm, told Dutch public broadcaster NOS at the time. “These are very large warehouses; you don’t just go looking for a pallet. We also couldn’t plan our transportation anymore. We have hundreds of trucks – that wasn’t done by hand either.”
The attack temporarily disrupted supplies of many types of cheese, biscuits and other food products nationwide, including at the country’s largest supermarket chain, Albert Heijn.
Babuk Curds Don’t Knit
The attack didn’t do Babuk’s group dynamics any favors either, due to its malfunctioning VMware ESXi decryptor often leaving encrypted data unrecoverable, said John Fokker, head of threat intelligence and principal engineer at the Trellix Advanced Research Center.
Northwave, the Dutch firm handling incident response, and Trellix, which analyzed ransomware samples involved in the attack, issued a joint report cautioning that the group’s attack tools had been “poorly developed” and that “there is no guarantee that all files will be recoverable” after an attack.
The group’s inability to craft a working ESXi decryptor seemed to trigger an “internal dispute,” Fokker told me. “We believe this was the start of Babuk’s downfall and one of the reasons for Matveev to leave the crime group, besides the Met Police attack.”
Matveev blamed the Babuk decryptor failure on a third-party developer, in an expansive August 2022 interview with Dmitry Smilyanets, a Russian-speaking intelligence analyst at Recorded Future.
“It simply turned the output from the disks to zero, and we destroyed at least two companies’ data,” Matveev told Smilyanets. “We took money from them for the decryptor, but they could not decrypt their data. Essentially, we scammed them.”
Matveev reported that one of the victims so affected was Bakker Logistiek, which paid him $2 million in exchange for a decryptor that didn’t work. He said the firm demanded the ransom payment back; he kept the money.
In that interview, Matveev disclosed multiple correct but not publicly known details about the attack, Fokker said. After liaising with Smilyanets, Northwave and Trellix alerted the police team probing the attack against Bakker Logistiek to Matveev’s apparent involvement, he said.
After Babuk failed, a new type of ransomware operation called Groove launched in the summer of 2021. Groove advertised itself as a way for affiliates of ransomware groups to put themselves in charge. Rather than being told what to do by ransomware-as-a-service operators, affiliates could amass victims and then decide which ransomware would be best for the job.
In September 2021, Trellix and threat intelligence firm Intel 471 gained access to the dark web server being used under the control of Groove and Matveev and found that it stored data stolen by Babuk. The data pertained to multiple victims named in the U.S. indictment, including Washington’s Metropolitan Police Department, Fokker said.
The Groove experiment ended shortly thereafter, and its founder or founders claimed they’d only been trying to “troll” Western media.
Police Track Affiliates
Despite the unmasking of Matveev and his alleged offenses, will the accused ransomware affiliate ever make an appearance in a U.S. court room to answer these charges? That depends on if he ever leaves Russia, which never extradites its citizens.
Regardless, the indictments against Matveev are notable because they show Western law enforcement is not just focusing on the operators of major ransomware groups, many of whom lease their crypto-locking malware to business partners, known in the trade as affiliates, in return for a share of every ransom paid, Fokker said.
“For far too long, everyone was focused on the head of the snake or the ransomware family, leaving the affiliates in a safe environment where they could thrive and expand their knowledge,” he said. The indictments against Matveev now stand as “a clear warning that participating in ransomware isn’t without consequences: There is a real chance you will be identified, indicted and arrested.”