Treasury’s Sanctions Strike at Key Russian Ransomware Figure

The U.S. Department of the Treasury on Tuesday sanctioned Mikhail Matveev, a key figure in the Russian cybercrime world. In conjunction with a newly unsealed federal indictment of Mateev and a $10 million reward offer from the State Department under the Transnational Organized Crime Rewards Program, the sanctions will likely undercut the effectiveness of some of the most prolific ransomware groups.

Treasury revealed that Matveev, also known by aliases such as Broriscelcin, Wazawaka, mlx, and Uhodiransomwar, played a pivotal role in the development and implementation of the Hive, LockBit, and Babuk ransomware strains. The targets of these schemes ranged from critical infrastructure to hospitals, resulting in the theft of personal information along with millions of dollars.

By imposing sanctions on Matveev and intensifying efforts to apprehend him, Treasury will significantly curtail his capacity to collaborate on future cyber-extortion schemes. The sanctions impose limitations on the interactions of targeted individuals and entities with formal financial systems, while an indictment restricts their freedom of travel. At the same time, these actions increase the risk to other malicious actors if they include Matveev in their projects. By marginalizing a figure whose expertise facilitated attacks by multiple groups, U.S. action against Mateev may have a broad impact on cybercrime.  

Matveev has publicly admitted his participation in criminal schemes, claiming in 2021 that he was responsible for an attack targeting the Washington, DC, Metropolitan Police Department and was central to the operations of the Babuk ransomware gang. In an interview, Matveev even went so far as to reveal valuable intelligence on how he identifies new targets, highlighting that his preferred point of entry to networks is remote code execution, which allows attackers to run code even without having physical access to a network.

Since 2021, the Biden administration has launched multiple initiatives to combat ransomware attacks against the United States, its allies, and its partners. These include establishing the global Counter-Ransomware Initiative to facilitate information sharing, launching the Stop Ransomware website to provide training resources to both private and public organizations, and implementing the Cybersecurity and Infrastructure Security Agency’s Ransomware Vulnerability Warning Pilot. Despite these initiatives, experts, such as Jackie Burns Koven, head of cyber threat intelligence at the cryptocurrency analysis firm Chainalysis, have speculated that 2023 could potentially be the “highest grossing year in ransomware yet.”

Given the scale of the ransomware problem, the Biden administration needs to do more. Two years ago, the Ransomware Task Force, a coalition of industry, government, and policy experts, issued a detailed framework for action with dozens of recommendations on how to strengthen potential targets’ resilience against ransomware, punish attackers, and reduce ransomware profits. The group did not come out in favor of banning ransomware payments altogether, instead urging organizations to consider alternatives — such as restoration of data and systems — before sending a payment to attackers. The U.S. government can further help to discourage premature payments by providing increased financial and technical support — for example, by setting up a ransomware response fund — for victims that adheres to National Institute of Standards and Technology cybersecurity guidelines so that they can more easily resist extortion from cyber criminals.

Logan Weber is a research analyst at the Foundation for Defense of Democracy’s (FDD’s) Center on Cyber and Technology Innovation, where he works on issues related to cyber-enabled economic warfare, public-private collaboration, cyber resilience, and emerging technologies. Follow FDD on Twitter @FDD. FDD is a Washington, DC-based, non-partisan research institute focusing on national security and foreign policy.