cyber securityResearchers have revealed the inner workings of a ransomware operation led by Mikhail Pavlovich Matveev, a Russian citizen who was indicted by the U.S. government earlier this year, accusing him of launching thousands of attacks around the world.
Matveev, who now lives in St. Petersburg, also known as Wazawaka, m1x, Boriselcin, Uhodiransomwar, Orange and waza, is said to have been in LockBit,Babuk and played a key role in the development and deployment of Hive ransomware variants.
Switzerlandcyber securitycompany PRODAFT "Wazawaka and his team members displayed a greed for extortion payments and demonstrated a profound disregard for ethical values in their network operations," said a comprehensive analysis shared with The Hacker News.
“Their use of tactics such as intimidation into leaking sensitive files, engaging in dishonest conduct, and insisting on retaining files even after victims comply with extortion payments exemplify the ethical vacuum that pervades the behavior of traditional ransomware gangs.”
PRODAFT's findings were compiled by intercepting thousands of communication logs between various threat actors related to various ransomware variants between April and December 2023.
It is reported that Matawveev led a team of six penetration testers – 777, bobr.kurwa, krbtgt, shokoladniy_zayac, WhyNot and dushnila – to carry out the attack. The organization uses a flat organizational structure to promote better collaboration among members.
"Each member contributes resources and expertise as needed, demonstrating remarkable flexibility and adaptability in adapting to new scenarios and situations," PRODAFT said.
In addition to serving as an affiliate of Conti, LockBit, Hive, Monti, Trigona, and NoEscape, Matveev also held a management role for the Babuk ransomware gang until early 2022, while sharing what he described as a "sophisticated attack" with another actor named Dudka. Relationships” Dudka is probably the developer behind Babuk and Monti.
The attack launched by Matveev and his team involved using Zoominfo and Censys,Shodan and FOFA These services collect information about their victims, exploit known security vulnerabilities and initial access proxies to gain a foothold, and use a mix of custom and off-the-shelf tools to brute force VPN accounts, escalate privileges, and streamline their campaigns.
"After gaining initial access, Wazawaka and his team primarily used PowerShell command to execute their preferred remote monitoring and management (RMM) tool. In particular, MeshCentral is the team's unique toolkit that often serves as the open source software of choice for their various operations. "
PRODAFT's analysis further uncovered ties between Matveev and Evgeniy Mikhailovich Bogachev, a Russian citizen linked to the GameOver Zeus botnet that was dismantled in 2014 and the development of Evil Corp.
Notably, the Babuk ransomware operation was renamed in 2021 to PayloadBIN, which is linked to Evil Corp, in an apparent attempt to circumvent U.S. sanctions imposed on it in December 2019.
"This technical connection, combined with Wazawaka's known relationship with notorious cybercriminal Bogachev, suggests a deeper connection between Wazawaka, Bogachev and Evil Corp's operations," PRODAFT said.
Original article by Chief Security Officer, if reproduced, please credit https://www.cncso.com/en/how-a-russian-hacker-built-a-ransomware-empire.html
