Full Report
In January 2022, KrebsOnSecurity identified a Russian man named Mikhail Matveev as "Wazawaka," a cybercriminal who was deeply involved in the formation and operation of multiple ransomware groups. The U.S. government indicted Matveev as a top ransomware purveyor a year later, offering $10 million for information leading to his arrest. Last week, the Russian government reportedly arrested Matveev and charged him with creating malware used to extort companies.
Analysis Summary
# Threat Actor: Mikhail Matveev (Wazawaka)
## Attribution & Identity
* **Identified Individual:** Mikhail Matveev, a 32-year-old Russian national.
* **Known Aliases:** "Wazawaka," "Boriselcin" (@ransomboris on X).
* **Known Associations:** Deeply involved in the formation and operation of multiple ransomware groups. He worked with at least three different ransomware gangs.
* **Status:** Indicted by the U.S. government; reportedly arrested by Russian authorities and charged with violating domestic laws regarding the creation and use of malicious software. He is reportedly out on bail pending trial in Russia.
## Activity Summary
Mikhail Matveev, identified as Wasawaka, was a prominent figure in the cybercrime underground, known for his openness on forums and social media. He was allegedly involved in ransomware operations that extorted hundreds of millions of dollars. He publicly acknowledged his moniker and engaged with security researchers after his identification in 2022. His primary professional focus was ransomware proliferation and network access brokerage.
## Tactics, Techniques & Procedures
* **Malware Development:** Charged by Russian authorities for creating malicious software used to extort companies.
* **Ransomware Operations:** Involved in the structure and operation of multiple ransomware groups.
* **Network Access Brokering (Implied):** Identified by KrebsOnSecurity in 2022 as a network access broker.
* **Financial Exploitation:** Allegedly stole cryptocurrencies from drug dealers on darknet narcotics bazaars.
* **Publicity/Taunting:** Published selfie videos on Twitter/X acknowledging his alias and reacting to identification; later posted an image of himself wearing a T-shirt featuring the US government's "Wanted" poster.
## Targeting
* **Sectors:** Companies, schools, hospitals, and government agencies (victims of the associated ransomware gangs).
* **Geography:** Targeting was international (companies, schools, hospitals), but Matveev claimed a personal mantra to avoid hacking or extorting Russian citizens or companies ("Don’t shit where you live, travel local, and don’t go abroad").
* **Victims:** Specific organizations are not detailed, only the general victim pool served by the ransomware gangs he supported.
## Tools & Infrastructure
* **Malware Families Used:** Associated with multiple unnamed ransomware gangs.
* **Infrastructure (C2, domains, IPs):** Not explicitly detailed in terms of C2 infrastructure, only that he managed cryptocurrency holdings and operated on cybercrime forums like Exploit.
## Implications
Matveev's arrest by Russian authorities, despite his history of avoiding domestic targets, is unusual and may signal a shift in Russian law enforcement priorities or, as speculated by Intel 471, could be related to local extortion ("shakedown") or demands for paying "dues" to organized elements. His potential cooperation or continued access to his funds/operations post-bail raises questions about the long-term impact on the ransomware ecosystem. The general consensus among analysts is that this singular arrest may not signify meaningful overall progress against the broader ransomware threat landscape.
## Mitigations
* **Monitoring Actors on Cybercrime Forums:** Actors like Wazawaka utilize public platforms for recruitment and boasting, offering intelligence opportunities before large-scale operations.
* **Tracking Cryptocurrency Movements:** His large cryptocurrency holdings suggest monitoring significant wallets associated with known actors may reveal illicit gains.
* **Understanding Threat Actor Posturing:** Note the cultural adherence to "Do not target domestic entities," which helps predict the geographic scope of operations for actors based in or operating from that region.