The Feds have sanctioned a Russian national accused of using LockBit, Babuk, and Hive ransomware to extort a law enforcement agency and nonprofit healthcare organization in New Jersey, and the Metropolitan Police Department in Washington DC, among “numerous” other victim organizations in the US and globally.

According to indictments unsealed on Tuesday, US grand juries have charged Mikhail Pavlovich Matveev with conspiring to transmit ransom demands, conspiring to damage protected computers, and intentionally damaging protected computers. If convicted, he faces 20-plus years in prison. 

First, however, he has to be located, and then extradited to America. To this end the US Department of State will pay up to $10 million for information leading to his arrest or conviction.  

“From Russia and hiding behind multiple aliases, Matveev is alleged to have used these ransomware strains to encrypt and hold hostage for ransom the data of numerous victims, including hospitals, schools, nonprofits, and law enforcement agencies, like the Metropolitan Police Department in Washington, DC,” US Attorney Philip Sellinger said in a statement. 

Matveez has also been linked to a ransomware intrusion against a US airline, according to the US Treasury Department, which today added Matveez to its list of sanctioned individuals. 

This prohibits US residents and organizations from doing business with Matveez or any other so-called “blocked persons” — and it also means that paying ransom demands to listed individuals or organizations could count as breaking US laws [PDF].

Matveez and other members of the LockBit, Babuk, and Hive ransomware gangs have attacked at least 2,800 victims globally, and demanded payments of around $400 million, according to court documents. They made more than $200 million in this way, we’re told.

Infecting law enforcement with LockBit and Babuk

In June 2020, Matveev and crew allegedly deployed LockBit ransomware against a law enforcement agency in Passaic County, New Jersey, according to one of the two indictments [PDF]. 

This same group of miscreants also allegedly used LockBit to infect computers at businesses in Johnson County, Kansas; Dakota, Minnesota; Alameda County, California; and Boulder County, Colorado between June and September 2020, the New Jersey court documents say.

Meanwhile, between December 2020 and September 2021, Matveev and his co-conspirators allegedly used Babuk ransomware to extort money from victims in Turin, Italy; Hillsborough County, New Hampshire; Washington County, Oregon, and DC’s Metropolitan Police Department.

“As part of the ransomware attack, the MPD was threatened with disclosure of sensitive information unless payment was made,” according to the second indictment [PDF].

“Data theft and extortion attempts by ransomware groups are corrosive, cynical attacks on key institutions and the good people behind them as they go about their business and serve the public,” US Attorney Matthew M. Graves for the District of Columbia said in a statement. 

“Whether these criminals target law enforcement, other government agencies, or private companies like health care providers, we will use every tool at our disposal to prosecute and punish such offenses,” Graves added.

The indictments and sanctions come amid US attempts to crackdown on cybercrime gangs operating out of Russia.

In January, the FBI said it shut down the Hive’s ransomware network, seizing control of the notorious gang’s servers and websites, after a seven-month covert operation during which agents hacked the criminal group’s network and used that access to provide decryption keys for more than 300 victims.

A month later, the US and UK sanctioned seven Russians for their alleged roles in disseminating Conti and Ryuk ransomware and the Trickbot banking trojan.

And just last week, the FBI said it cut off a network of Kremlin-controlled computers used to spread the Snake malware which, according to the Feds, has been used by Russia’s FSB to steal sensitive documents from NATO members for almost two decades. ®