Wazawaka & Co.

New Report Provides a Glimpse into the Stormy World of Russian Cybercrime Communities

Feb 15, 2024

One of the FBI’s most wanted cybercriminals, Mikhail Matveev, a.k.a. Wazawaka, has played a major role in the Babuk ransomware enterprise and other Russia-origin criminal activity. A new report by cybersecurity company Prodaft offers a fascinating glimpse into his relationships with other well-known hackers and casts new light on the complex Russian cybercriminal community. In addition, while politics is not the focus of this report, it offers additional clues to flesh out his relationship with the Russian state, the topic of the next Natto Thoughts report.

A poster of a wanted person

Description automatically generated

FBI Wanted poster for Mikhail Pavlovich Matveev https://www.fbi.gov/wanted/cyber/mikhail-pavlovich-matveev/download.pdf

“I Declare War on the USA!”

It was January 2022. The world watched in horror as Russia massed its forces on the border with Ukraine. Cybersecurity professionals watched with cautious interest as Russian law enforcement on January 14 announced the arrest of a dozen hackers associated with the Revil ransomware group—supposedly identified through cooperation with US law enforcement. Would the cyber threat from Russia ease? Apparently not: wiper malware paralyzed multiple Ukrainian government computer systems on January 13, and dumps of stolen Ukrainian government information soon appeared on online underground discussion forums. Although some Russian cybercriminals were confused and frightened by the arrest of their Revil counterparts, other Russian cybercriminals still roamed free.

One of those cybercriminals at liberty was Mikhail Pavlovich Matveev. On January 12, 2022, US-based cybersecurity researcher Brian Krebs publicly identified Matveev as the person behind the nickname “Wazawaka,” a famous part of the Russian cybercrime community. On January 25, a Twitter account apparently belonging to Matveev tweeted several dramatic videos. Brian Krebs posted one of these on February 14. Showing a left hand that was missing a finger—as if to prove that he was indeed Wazawaka—the man ranted against cybersecurity researchers. He threatened to leak a zero-day exploit, referring to code that can exploit a vulnerability in software and that has not previously been publicized and patched. And he said, “I declare war on the USA” (min 0:13 of the “Wazawaka responds” video in Brian Krebs’ posting).

On May 16 2023. the US Justice Department unsealed several indictments originally issued December 6-8 2022, based on cooperation with numerous international partners. On the same day, the US Treasury Department announced sanctions against Matveev, and the State Department offered a $10 million reward for information leading to his arrest. They accused Matveev a.k.a. m1x, Boriselcin, or Uhodiransomwar, of transmitting ransom demands in connection with ransomware variants LockBit, Babuk, and Hive. In particular, “on April 26, 2021, Matveev and his Babuk co-conspirators allegedly deployed Babuk ransomware against the Metropolitan Police Department in Washington, D.C., and then threatened to disclose sensitive information to the public unless a payment was made.”

Taking advantage of the publicity, Matveev has held interviews with Recorded Future in August 2022 and again in May 2023, soon after this indictment was unsealed, and with TechCrunch in September 2023 and October 2023. Matveev posts regularly on his Twitter feed (https://twitter[.]com/ransomboris), gleefully posting links to the latest cybersecurity researchers’ reports on him and posting a photo of a t-shirt with his FBI wanted poster printed on it.

New Report Casts Light on Matveev’s World

In his interviews Matveev claimed to have played a minor role in ransomware activity. However, a December 2023 report by Netherlands-based cybersecurity company Prodaft says otherwise. The new report, “Smoke and Mirrors: Understanding The Workings of Wazawaka,” offers a fascinating glimpse into his relationships, particularly with the other people in the Babuk group, as well as with other well-known Russian hackers.

Prodaft, which says its name means “Proactive Defense Against Future Threats,” says it has “been mastering the art of cyber threat anticipation for over a decade.” Originally based in Turkey, it now has its headquarters in the Hague and offices in Switzerland and in Istanbul. It is a partner of Europol’s Advisory Group on Internet Security.

Prodaft’s new report draws on the types of sources that many researchers use, such as postings on underground forums. But it also draws heavily on what it describes in the report as “intercepted communications.” This interception was presumably in real-time during the research for the project, which dated from April 1 to December 5 2023. The content of the conversations indeed appeared to place them in mid-2023.

Prodaft’s techniques, judging from the public versions of other Prodaft reports on ransomware groups Lockbit and TA505, are to gain access to the control servers and panels that ransomware administrators use to manage the ransomware-as-a-service business. Prodaft can also plant "deep sensors” to “capture, interrupt, and react to information traffic between the cybercriminals in secret and public communication channels,” according to a recent report on the Conti group.

While Matveev claimed to be a peripheral actor in ransomware operations, Prodaft found him to be “the leader of a sophisticated cybercriminal team,” who plays “a pivotal role in orchestrating and guiding the group’s operations,” providing further evidence of “his prominence in the ransomware ecosystem.” They add, “Managing six skilled pentesters [penetration testers], namely 777, bobr.kurwa, krbtgt, shokoladniy_zayac, WhyNot, and dushnila, Wazawaka orchestrates a well-coordinated effort to execute ransomware attacks. What sets his team structure apart is the principle of egalitarianism....”

The report includes a helpful timeline of Matveev’s involvement with various ransomware groups (Figure 28), including the following:

he operated and managed the Babuk group from mid-2020 through the beginning of 2022 (including some name changes and rebrands such as “Groove” and “Payload Bin”)
managed the Monti ransomware operation through 2023 most of 2023
he collaborated with RagnarLocker actors in mid-2023;
and he worked as an affiliate of the Lockbit, Conti, Hive, NoEscape and Trigona ransomware operations for various time-spans.

Timeline of Wazawaka’s associations, from “Smoke and Mirrors:
Understanding The Workings of Wazawaka” by Prodaft. Used by permission.

Not on this timeline, but prominently featured in the text, is Wazawaka’s leadership of the RAMP ransomware forum.

Prodaft’s list of nicknames for Matveev differs slightly from lists other researchers have provided. They say he uses the names “Wazawaka, boriselcin, [redacted], and Orange in public forums and solitaire, gas, [and] [redacted] monikers within private environments,” where “private” appears to refer to closed forums or other chat environments.

This differs somewhat from the US Justice and State Department documents, which list the nicknames m1x, Boriselcin, and Uhodiransomwar. Brian Krebs mentioned additional names Matveev used in email or social media accounts — TetyaSluha, Teresa_Cox, and Biba99 — and cited a list from Intel471 that added some more: Alfredpetr, andry1976, arestedByFbi, boriselcin, donaldo, ebanatv2, futurama, gotowork, m0sad, m1x, Ment0s, ment0s, Ment0s, Mixalen, mrbotnet, Orange, posholnarabotu, popalvprosak, TetyaSluha, uhodiransomwar, and 999. Some reports have also identified Wazawaka with the persona UNC1756, who claimed credit for crippling the entire country of Costa Rica in 2021. Prodaft’s public nickname list does not include UNC1756; however, they do cite Matveev as taking credit for the Costa Rica attacks. (More on this in a future posting).

Prodaft’s report provides a fascinating glimpse into these hackers as people, as well as further elucidating their modus operandi. The report’s main findings stress the threat actors’ lack of ethics and their stormy relationships with other cybercriminal groups: The authors write, “Wazawaka and his team members prominently exhibit an insatiable greed for ransom payments.... they exemplify the ethical void prevalent in the practices of traditional ransomware groups.... threat actors adeptly manipulate IT administrators. ... IT leaders and staff cannot trust ransomware operators under any circumstances.” They warn that victims of ransomware should not pay the ransoms because deceitful ransomware operators may not honor their promises to restore bricked systems. At the same time, their research finds “significant distrust” among threat actor groups, which cybersecurity and law enforcement personnel may be able to exploit against the cybercrime community.

The Prodaft report details Wazawaka’s methods, including techniques for reconnaissance, initial access, execution, and so forth. The report also warns that Wazawaka’s team can skillfully turn employees of target organizations into insider threats. For example, they cite one conversation with an IT administrator of a UK-based educational institution, in which the IT administrator expressed a fear of getting into trouble for having overlooked the threat; the threat actors promised to exaggerate the capabilities of their ransomware to give the IT administrator an excuse. This incident points not only to the risk of insider threats but also to the possibility that employees of victim companies could collude with the threat actors to exaggerate the severity of a ransomware incident.

Stormy Cybercriminal Community

Prodaft guides the reader through the immensely complex relationships in the Russian-language cyber underground: shifting business partnerships and betrayals; fears over whether Matveev’s successor as RAMP forum administrator was really a police stooge; Matveev’s associate Dudka’s claim that the Donut Leaks ransomware team had cheated him; and the blowback after another acquaintance, “Bassterlord,” publicly released a ransomware how-to guide.

Matveev consorted with famous names in the Russian cyber underground. He was proud to be added to the “honor board” – the FBI Most Wanted list – alongside one of the original names on that list, Yevgeniy Bogachev, the creator of the Zeus malware, who also reportedly spied for Russian intelligence service. “But now they pay more for me than for him,” referring to the $10 million dollar reward offered for Matveev compared to the $3 million reward the FBI offered for Bogachev. Matveev said he had contacted Bogachev to ask how one could survive not being able to travel outside Russia. Matveev gossiped that his friend “Bassterlord”—a man whom other cybercriminals criticized for rashly publicizing his ransomware how-to manual—was also star-struck by Bogachev. (For more on Bassterlord and the manual see postings by Analyst1, Recorded Future, and Prodaft themselves).

The Prodaft authors also note that researchers have found a possible link between Babuk and the notorious cybercrime group EvilCorp, whose leaders had worked with the abovementioned Bogachev and also with Russia’s intelligence services. Researchers also found an EvilCorp malware had been rebranded as “PayloadBIN,” the name of a Babuk spinoff group, suggesting possible links between those groups in addition to the link through Bogachev.

In addition, Prodaft tentatively assesses a connection between the Wazawaka group and the infamous REvil (a.k.a. Sodinokibi) ransomware enterprise. As they point out, Dudka posted in April 2023 that a Wazawaka-led enterprise had “more than 10 experienced pentesters who had been actively involved since the era of REvil.” This suggests possible continuity of personnel between the defunct REvil group and Wazawaka’s group.

“We Will Play Him Like a Fiddle”: Matveev and Babuk Developer Dudka

One particular “deep and complex relationship” tied the Wazawaka team and a threat actor named Dudka, who “is likely responsible for developing the Babuk platform, releasing its source code publicly shortly before it ceased activity, and developing the Monti platform later that year.” Dudka went by the nicknames Garett (or Garrett) and Babuk.

The authors cite a September 21 2023 conversation on an underground forum post, in which user “Vinki” says Wazawaka took credit for operations others had carried out. Vinki wrote, “That mongrel did not touch the inside of any network; Garett (i.e. Uncle with Cancer, i.e. Babuk) did it all, along with a few others (whose pseudonyms I will not share).” Vinki refers to Dudka as “Uncle with Cancer” (Дядька с раком), likely because Dudka used an account named “dyadka0220” that leaked the source code for the Babuk ransomware on September 3, 2021 and claimed to be dying of cancer. (Some researchers spell his name “Dydka”).

Judging from Matveev’s conversations with his team members, Matveev’s relationship with Dudka ranged from cajoling him along (“get him moving while he’s in a good mood”) to advising him to stay in Russia to avoid arrest (Figure 17), to considering whether to drop his services, to opining that he should get psychiatric treatment, to gossiping about Dudka’s visits to a fortune-teller.

At the same time, he seems to want to exploit Dudka, Prodaft points out. In a thought-provoking analysis drawing on nuances of language, the authors highlight a message (Figure 21) where Matveev, using the username solitaire, says, “We’ll play on Dudka like the Iranians.” Prodaft points out that Matveev was engaging in word-play, as Dudka’s name means “flute.” They note the resemblance to a Russian phrase Плясать под (чью-то) дудку, which means “dancing to someone’s tune.” However, as in many cybersecurity reports, the Prodaft authors did not provide the Russian original for most of the messages they cite. On request, they provided the Russian original phrase, which was будем на дудке играть как иранцы. Another way to translate the phrase, using a slightly different musical theme and preserving the lower-case letter in the original Russian, could be “we will play dudka like a fiddle, just as the Iranians do.”

More Clues in Original Russian Texts

Including the original Russian-language source text would enrich the report for Russian-speaking readers. Best of all would be to include both original and translated texts, as Prodaft did in Figure 39.

Wazawaka a Police Stooge?

In at least one case where they did show the Russian original, it provides additional nuance. This is the aforementioned September 21 2023 forum posting where user “Vinki” disparages Wazawaka. The Prodaft authors deftly summarize Vinki’s critique, noting, “since 2021 or earlier, he has been offering his services to others while operating in the shadows.” However, the original Russian text is more specific: Vinki says “since ’21 (if not earlier) he has been under the supervision of the police (под мусорами сидит) and offers these ‘services’ to others.” The term мусор, literally “trash,” is a nickname for law enforcement https://vturme.info/kratkij-tjuremnyj-glossarij/. In light of the “significant distrust” Prodaft found among threat actor groups, it is not unusual for criminals to suspect each other of secretly working for the police. However, we should at least consider seriously the possibility that Matveev really was a police stooge. That would, among other things, explain why Matveev was living openly and not under arrest in Russia. In addition, some of the nicknames Matveev used -- Ment0s, ment0s – contain the word “ment,” which in Russian is another nickname for police. If he chose those nicknames because of this similarity, he would seem to be mocking the police (“ment-zero”), just as another of his reported nicknames, “arestedByFbi,” appears to mock the FBI. The fact that Matveev continues to boast of having an FBI price on his head suggests that he has high-level protection in Russia.

In the next posting, the Natto Team will address the political side of Matveev to complement Prodaft’s excellent portrayal of his other sides.

Stray Thoughts

A few random observations and questions remain in the mind of the Natto Team after reading this report. These may provide fruit for future research.

They call each other “Uncle”: Members of Matveev’s team call each other “uncle” in several different conversations (Figures 18, 23, 54). They are using the Russian word dyadka (дядька) – similar to Dudka’s nickname dyadka0220. Dyadka is a diminutive version of the more neutral word for Uncle, дядя. Calling each other that name could be a sign of respectful familiarity. Historically, the word could be used for a tutor, chaperone or drill master. They may also have had in mind “The Man from U.N.C.L.E.” Reviewers referred to a 2015 film adaptation, in which the law enforcement agents from UNCLE fight against a criminal organization called THRUSH, as “the Uncles against the Thrushes” (Дядьки против Дроздов).

Why “we’ll play on Dudka like the Iranians”? Does this phrase, discussed above, indicate an undiscovered relationship with Iranian cyber threat actors? Does it mean that Wazawaka has some Iranians under his control or that Iranians have Dudka under their control? Does it have a political meaning or not? The message has the word “Iranians” in the nominative case, which is used for the subject of a sentence rather than the object. Assuming Matveev was not making a hasty grammatic error, it suggests the Iranians played Dudka, rather than the other way around. On the other hand, it might simply refer to the fact that Iranians have an instrument similar to the Russian dudka.

Updated February 16 to correct the list of Prodaft office locations: it has its headquarters in the Hague and offices in Switzerland and in Istanbul.