US identifies LockBit as the ringleader of Hive ransomware and sets a $10 million bounty on him
The United States government has announced a $10 million reward for information leading to the capture of Mikhail Pavlovich Matveev, a Russian national believed to be the mastermind behind the LockBit and Hive ransomware attacks. Matveev, who is 30 years old, has been charged with intentionally damaging protected computers and conspiring to transmit ransom demands.
According to the Federal Bureau of Investigation (FBI), Matveev is associated with both Kaliningrad and St. Petersburg in Russia, where he is believed to reside. It is well-known that cybercriminals operating in Russia often evade punishment as long as they avoid targeting the Russian government or organisations within the country. This "safe harbour" protection has attracted many ransomware groups to operate from Russia, as they fear arrest and extradition to countries with stronger law enforcement.
The Department of Justice (DoJ) has accused Matveev of deploying various ransomware strains, including LockBit, Hive and Babuk, to extort money from numerous organisations in the United States and abroad. One notable incident allegedly involving Matveev and other LockBit operators was the use of their ransomware against a law enforcement agency based in New Jersey in June 2020. Matveev has also been linked to a Babuk ransomware attack on the DC police department in 2021.
Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department's Criminal Division stated that Matveev, from his base in Russia, targeted critical infrastructure worldwide, including hospitals, government agencies, and organisations in various sectors. The international nature of these crimes calls for a coordinated response, and the US government is determined to hold the most egregious cybercriminals accountable.
The FBI has issued an official wanted notice for Matveev, listing several aliases he is known to use, such as 'Wazawaka,' 'Boriscelcin,' 'm1x' and 'Uhodiransomwar.' The FBI's Newark Field Office Cyber Crimes Task Force, in collaboration with European agencies like the UK's National Crime Agency, is leading the investigation into Matveev.
LockBit and Hive are notorious ransomware-as-a-service (RaaS) groups known for their double extortion tactics. The Babuk group, though believed to have retired, was involved in high-profile attacks such as targeting the UK's National Health Service (NHS) outsourcing firm Serco and earning up to $13 million in paid ransoms. The DoJ estimates that victims have collectively paid these three groups approximately $200 million in ransom.
LockBit gained attention recently for its attack on Royal Mail International, initially demanding an £81 million ($97 million) ransom. After negotiations, the group leaked 44GB of the company's data and lowered the ransom to £33 million ($41 million). LockBit has targeted various organisations, including digital transformation company Orion Innovation and a Canadian children's hospital, where it issued an unusual apology and provided a free decryptor after a successful attack.
Hive, on the other hand, has been involved in several high-profile security incidents, including attacks on French telecommunications giant Altice, Indian energy leader Tata Power, and Costa Rican healthcare systems. In July 2022, Microsoft warned about Hive's new, more sophisticated variant, which incorporated the programming language Rust in its payload executable for improved memory safety and efficiency. While the FBI reported a takedown of Hive's ransomware operations in January, the impact was expected to be temporary.
The US government's reward for information leading to Matveev's arrest or conviction underscores its commitment to combatting cybercrime. Individuals with relevant information have been encouraged to provide tips to the FBI. The case is being handled by the FBI's Newark Field Office Cyber Crimes Task Force in coordination with several European agencies.