Cybersecurity researchers have revealed the inner workings of a ransomware operation led by Russian citizen Mikhail Pavlovich Matveev, who was indicted earlier this year for allegedly Thousands of attacks have been launched around the world and prosecuted by the U.S. government.
Matveev, who lives in St. Petersburg and goes by the aliases Wazawaka, m1x, Boriselcin, Uhodiransomwar, Orange and waza, allegedly played a key role in the development and deployment of LockBit, Babuk and Hive ransomware variants since 2017. At least June 2020.
“Wazawaka and his team members’ apparent greed for ransom payments demonstrates a severe disregard for ethical values in their online operations,” Swiss cybersecurity firm PRODAFT said in a comprehensive analysis shared with The Hacker News.
“Their tactics include intimidation through threats of leaking sensitive files, engaging in dishonest conduct, and insisting on retaining files even after victims pay the ransom, which exemplify the common ethical failings seen in the behavior of traditional ransomware groups. “
From user to administrator: Learn how hackers gain total control
Learn the secret tactics hackers use to become administrators and how to detect and stop it before it’s too late. Register now for our webinar.
Join now
PRODAFT’s findings are the result of data compiled between April and December 2023 by intercepting thousands of communication logs between various threat actors related to different ransomware variants.
Matveev is said to have led a team of six penetration testers (777, bobr.kurwa, krbtgt, shokoladniy_zayac, WhyNot and dushnila) to carry out the attack. The group has a flat hierarchy that promotes better collaboration among members.
“Everyone contributed resources and expertise as needed, demonstrating exceptional flexibility in adapting to new scenarios and situations,” PRODAFT said.
In addition to his role as an affiliate of Conti, LockBit, Hive, Trigona, and NoEscape, Matveev held a management position in the Babuk ransomware group until early 2022, while sharing an alleged “complex relationship” with another actor named Dudka , who is most likely the developer behind Babuk and Monti.
The attacks launched by Matveev and his team involved using Zoominfo and services such as Censys, Shodan and FOFA to gather information about victims, relying on known security vulnerabilities and initial access proxies in addition to using a custom combination to gain a foothold. point. and ready-made tools to brute force VPN accounts, escalate privileges, and streamline their activities.
“After gaining initial access, Wazawaka and his team primarily used PowerShell commands to execute their preferred remote monitoring and management (RMM) tools,” the company said. “MeshCentral stands apart as the team’s unique toolkit , is often used as their go-to open source software for a variety of operations.”
PRODAFT’s analysis further revealed ties between Matveev and Evgeniy Mikhailovich Bogachev, a Russian citizen linked to the development of the GameOver Zeus botnet and Evil Corp. that was dismantled in 2014.
Notably, the Babuk ransomware operation was renamed PayloadBIN in 2021, which was linked to Evil Corp, apparently to circumvent U.S. sanctions imposed on it in December 2019.
“This technical connection, combined with Wazawaka’s known relationship with notorious cybercriminal Bogachev, suggests a deeper connection between Wazawaka, Bogachev and Evil Corp’s operations,” PRODAFT said.