{ "id": "bcb9c299-e57e-49b9-8784-76459bdfbf79", "created_at": "2026-04-06T00:16:52.300506Z", "updated_at": "2026-04-10T03:23:52.277908Z", "deleted_at": null, "sha1_hash": "69fb6527f2c38be1f6af4122ea6e405c105902cd", "title": "Russia arrests cybercriminal Wazawaka for ties with ransomware gangs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4626350, "plain_text": "Russia arrests cybercriminal Wazawaka for ties with ransomware gangs\r\nBy Sergiu Gatlan\r\nPublished: 2024-11-29 ยท Archived: 2026-04-05 22:09:27 UTC\r\nRussian law enforcement has arrested and indicted notorious ransomware affiliate Mikhail Pavlovich Matveev (also known\r\nas Wazawaka, Uhodiransomwar, m1x, and Boriselcin) for developing malware and his involvement in several hacking\r\ngroups.\r\nWhile the prosecutor's office has yet to release any details on the individual's identity (described as a \"programmer\" in court\r\ndocuments), the individual is Matveev, according to an anonymous source of the Russian state-owned news agency RIA\r\nNovosti.\r\n\"At present, the investigator has collected sufficient evidence, the criminal case with the indictment signed by the prosecutor\r\nhas been sent to the Central District Court of the city of Kaliningrad for consideration on the merits,\" the Russian Ministry\r\nof Internal Affairs said in a statement.\r\nhttps://www.bleepingcomputer.com/news/security/russia-arrests-cybercriminal-wazawaka-for-ties-with-ransomware-gangs/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/russia-arrests-cybercriminal-wazawaka-for-ties-with-ransomware-gangs/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nAs first spotted by cyber policy expert Oleg Shakirov, Matveev is accused of developing ransomware (described by the\r\nprosecutor's office notes as \"specialized malicious software\" that can encrypt files and data) that he planned to use for\r\nencrypting the data \"of commercial organizations in order to then receive a ransom from them for decryption.\"\r\nMikhail Matveev wanted poster (FBI)\r\nLast year, in May 2023, the U.S. Justice Department also filed charges against Matveev for his involvement in the Hive and\r\nLockBit ransomware operations that targeted victims across the United States.\r\nHe is also believed to be \"Orange,\" the original creator and admin of the Ramp hacking forum and the original admin of the\r\nBabuk ransomware operation. The latter split up after members couldn't decide whether to publish data stolen from the\r\nWashington DC Capital Police Force.\r\nA Justice Department press release and unsealed indictments in New Jersey and the District of Columbia provide an\r\napproximate timeline of his activity while working with the three ransomware gangs:\r\nIn June 2020, Matveev and LockBit coconspirators allegedly deployed LockBit ransomware on the network of a law\r\nenforcement agency in Passaic County, New Jersey.\r\nIn April 2021, the defendant and Babuk ransomware coconspirators allegedly deployed malicious payloads on the\r\nsystems of the Metropolitan Police Department in Washington, D.C.\r\nIn May 2022, Matveev and Hive ransomware gang members allegedly encrypted the systems of a nonprofit\r\nbehavioral healthcare organization headquartered in Mercer County, New Jersey.\r\nMatveev was also sanctioned by the Department of the Treasury's Office of Foreign Assets Control (OFAC) for launching\r\ncyberattacks against U.S. entities, including U.S. law enforcement and critical infrastructure organizations.\r\nThe U.S. Department of State is also offering a reward of up to $10 million for any information that could lead to his arrest\r\nor conviction for transnational organized crime.\r\nMatveev has had a very vocal online presence. He frequently talked with cybersecurity researchers and professionals and\r\nopenly discussed his cybercrime activity using his (still active) Twitter account, RansomBoris.\r\nAfter being sanctioned by the U.S., Matveev openly taunted U.S. law enforcement, tweeting a picture of his wanted poster\r\non a t-shirt.\r\nhttps://www.bleepingcomputer.com/news/security/russia-arrests-cybercriminal-wazawaka-for-ties-with-ransomware-gangs/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/russia-arrests-cybercriminal-wazawaka-for-ties-with-ransomware-gangs/\r\nhttps://www.bleepingcomputer.com/news/security/russia-arrests-cybercriminal-wazawaka-for-ties-with-ransomware-gangs/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/russia-arrests-cybercriminal-wazawaka-for-ties-with-ransomware-gangs/" ], "report_names": [ "russia-arrests-cybercriminal-wazawaka-for-ties-with-ransomware-gangs" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434612, "ts_updated_at": 1775791432, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/69fb6527f2c38be1f6af4122ea6e405c105902cd.pdf", "text": "https://archive.orkl.eu/69fb6527f2c38be1f6af4122ea6e405c105902cd.txt", "img": "https://archive.orkl.eu/69fb6527f2c38be1f6af4122ea6e405c105902cd.jpg" } }