Security

Cyber-crime

Feds offer $10m reward for info on alleged Russian ransomware crim

Infecting cops' computers is one way to put a target on your back


The Feds have sanctioned a Russian national accused of using LockBit, Babuk, and Hive ransomware to extort a law enforcement agency and nonprofit healthcare organization in New Jersey, and the Metropolitan Police Department in Washington DC, among "numerous" other victim organizations in the US and globally.

According to indictments unsealed on Tuesday, US grand juries have charged Mikhail Pavlovich Matveev with conspiring to transmit ransom demands, conspiring to damage protected computers, and intentionally damaging protected computers. If convicted, he faces 20-plus years in prison. 

First, however, he has to be located, and then extradited to America. To this end the US Department of State will pay up to $10 million for information leading to his arrest or conviction.  

"From Russia and hiding behind multiple aliases, Matveev is alleged to have used these ransomware strains to encrypt and hold hostage for ransom the data of numerous victims, including hospitals, schools, nonprofits, and law enforcement agencies, like the Metropolitan Police Department in Washington, DC," US Attorney Philip Sellinger said in a statement

Matveez has also been linked to a ransomware intrusion against a US airline, according to the US Treasury Department, which today added Matveez to its list of sanctioned individuals. 

This prohibits US residents and organizations from doing business with Matveez or any other so-called "blocked persons" — and it also means that paying ransom demands to listed individuals or organizations could count as breaking US laws [PDF].

Matveez and other members of the LockBit, Babuk, and Hive ransomware gangs have attacked at least 2,800 victims globally, and demanded payments of around $400 million, according to court documents. They made more than $200 million in this way, we're told.

Infecting law enforcement with LockBit and Babuk

In June 2020, Matveev and crew allegedly deployed LockBit ransomware against a law enforcement agency in Passaic County, New Jersey, according to one of the two indictments [PDF]. 

This same group of miscreants also allegedly used LockBit to infect computers at businesses in Johnson County, Kansas; Dakota, Minnesota; Alameda County, California; and Boulder County, Colorado between June and September 2020, the New Jersey court documents say.

Meanwhile, between December 2020 and September 2021, Matveev and his co-conspirators allegedly used Babuk ransomware to extort money from victims in Turin, Italy; Hillsborough County, New Hampshire; Washington County, Oregon, and DC's Metropolitan Police Department.

"As part of the ransomware attack, the MPD was threatened with disclosure of sensitive information unless payment was made," according to the second indictment [PDF].

"Data theft and extortion attempts by ransomware groups are corrosive, cynical attacks on key institutions and the good people behind them as they go about their business and serve the public," US Attorney Matthew M. Graves for the District of Columbia said in a statement. 

"Whether these criminals target law enforcement, other government agencies, or private companies like health care providers, we will use every tool at our disposal to prosecute and punish such offenses," Graves added.

The indictments and sanctions come amid US attempts to crackdown on cybercrime gangs operating out of Russia.

In January, the FBI said it shut down the Hive's ransomware network, seizing control of the notorious gang's servers and websites, after a seven-month covert operation during which agents hacked the criminal group's network and used that access to provide decryption keys for more than 300 victims.

A month later, the US and UK sanctioned seven Russians for their alleged roles in disseminating Conti and Ryuk ransomware and the Trickbot banking trojan.

And just last week, the FBI said it cut off a network of Kremlin-controlled computers used to spread the Snake malware which, according to the Feds, has been used by Russia's FSB to steal sensitive documents from NATO members for almost two decades. ®

Send us news
1 Comment

Cicada ransomware may be a BlackCat/ALPHV rebrand and upgrade

Researchers find many similarities, and nasty new customizations such as embedded compromised user credentials

Alleged Karakut ransomware scumbag charged in US

Plus: Microsoft issues workaround for dual-boot crashes; ARRL cops to ransom payment, and more

White House seizes 32 domains, issues criminal charges in massive election-meddling crackdown

Russia has seemingly decided who it wants Putin the Oval Office

Uncle Sam charges Russian GRU cyber-spies behind 'WhisperGate intrusions'

Feds post $10M bounty for each of the six's whereabouts

Iran's Pioneer Kitten hits US networks via buggy Check Point, Palo Alto gear

The government-backed crew also enjoys ransomware as a side hustle

RansomHub hits 210 victims in just 6 months

The ransomware gang recruits high-profile affiliates from LockBit and ALPHV

Ransomware batters critical industries, but takedowns hint at relief

Whether attack slowdown continues downward trend is the million dollar question that security researchers can't answer

Volt Typhoon suspected of exploiting Versa SD-WAN bug since June

The same Beijing-backed cyber spy crew the feds say burrowed into US critical infrastructure

Planned Parenthood confirms cyber-attack as RansomHub threatens to leak data

93GB of info feared pilfered in Montana by heartless crooks

Transport for London confirms cyberattack, assures us all is well

Government body claims there is no evidence of customer data being compromised

Brain Cipher claims attack on Olympic venue, promises 300 GB data leak

French police reckon financial system targeted during Summer Games

Iran hunts down double agents with fake recruiting sites, Mandiant reckons

Farsi-language posts target possibly-pro-Israel individuals