Full Report
Russian media and other sources are reporting that authorities there have charged Mikhail Matveev — aka Wazawaka, blamed in multiple high-profile ransomware attacks — with criminal hacking.
Analysis Summary
# Threat Actor: Mikhail Matveev (Wazawaka)
## Attribution & Identity
**Attribution:** Linked to Russian cybercriminal activities.
**Aliases/Known Associations:** Wazawaka, club1337 (contacted him). Affiliated with ransomware groups: Babuk, Conti, DarkSide, Hive, and LockBit.
## Activity Summary
Russian authorities have charged Mikhail Matveev (Wazawaka) under Article 273 of the Criminal Code for developing malware intended to encrypt commercial organizations' data for illegal profit (ransomware). Matveev was previously indicted and sanctioned by the U.S. government in May. A key historical activity attributed to him is the April 2021 attack on the Washington, D.C., Metropolitan Police Department while operating as part of the Babuk ransomware gang, where over 250 GB of data was allegedly stolen.
## Tactics, Techniques & Procedures
- Development of ransomware malware for data encryption and demanding ransom.
- Extortion/Blackmailing of commercial organizations.
- (MITRE ATT&CK IDs were not explicitly provided in the text, but methods align with T1486 Data Encrypted for Impact).
## Targeting
- **Sectors:** Commercial organizations, Law Enforcement (specifically Washington D.C. MPD).
- **Geography:** Operational globally (U.S. target mentioned), currently facing legal action in Russia.
- **Victims:** Washington, D.C., Metropolitan Police Department (MPD).
## Tools & Infrastructure
- **Malware Families Used:** Ransomware (general development cited), specifically associated with Babuk.
- **Infrastructure:** Not detailed, but he developed specific malware for extortion.
## Implications
The charging of Wazawaka by Russian authorities, despite his high profile and previous threats against U.S. interests, is an uncommon occurrence, suggesting potential shifts in how Russia handles cybercriminals, possibly following diplomatic communication (as evidenced by the REvil case mentioned in the context). Matveev remains a high-risk individual, previously unconcerned by U.S. sanctions and boasting about evading US law enforcement interest. His current legal status (out on bail awaiting next steps) needs close tracking.
## Mitigations
- Standard ransomware defenses should be maintained given his confirmed involvement with major ransomware strains (Conti, LockBit, Hive, etc.).
- Given his past activities, organizations should ensure robust defenses for sensitive data stores, especially law enforcement entities.
- Monitoring for potential resurfacing or continuation of activities despite current legal issues.