Cybersecurity researchers have delved into the intricate workings of the ransomware operation orchestrated by Mikhail Pavlovich Matveev, a Russian national indicted by the U.S. government earlier this year for his alleged involvement in orchestrating numerous global cyberattacks.

Matveev, known by various aliases such as Wazawaka, m1x, Boriselcin, Uhodiransomwar, Orange, and waza, is accused of playing a pivotal role in developing and deploying LockBit, Babuk, and Hive ransomware variants since at least June 2020.

Swiss cybersecurity firm PRODAFT conducted an extensive analysis, drawing on data collected between April and December 2023 by intercepting communication logs among various threat actors linked to different ransomware variants.

Matveev leads a team of six penetration testers—777, bobr.kurwa, krbtgt, shokoladniy_zayac, WhyNot, and dushnila—to execute attacks, showcasing a flat hierarchy for enhanced collaboration.

PRODAFT’s findings highlight the group’s unbridled pursuit of ransom payments, employing intimidation tactics, engaging in dishonest practices, and retaining files even after victims comply with ransom payments.

Matveev, an affiliate for Conti, LockBit, Hive, Trigona, and NoEscape, held a managerial role in the Babuk ransomware group until early 2022. He shares a “complex relationship” with Dudka, likely the developer behind Babuk and Monti.

The attacks orchestrated by Matveev’s team involve leveraging Zoominfo, Censys, Shodan, and FOFA to gather victim information, exploiting known security flaws, and employing initial access brokers. The group uses custom and off-the-shelf tools, including PowerShell commands, with MeshCentral standing out as their preferred open-source software.

PRODAFT’s analysis unveiled connections between Matveev and Evgeniy Mikhailovich Bogachev, associated with the GameOver Zeus botnet and Evil Corp. The Babuk ransomware rebranded as PayloadBIN in 2021, linked to Evil Corp, possibly to circumvent U.S. sanctions.

The technical associations and Matveev’s ties to Bogachev suggest deeper connections between Matveev, Bogachev, and the operations of Evil Corp, shedding light on the intricate web of cybercriminal networks.