Is it really him ?
“Wazawaka and members of his team clearly demonstrate an insatiable greed for ransom, showing a significant disregard for ethical values in their cyber operations,” Swiss cyber security firm PRODAFT said. Matveev, who lives in St. Petersburg and goes by the aliases: Wazawaka, m1x, Boryseltsyn, Ukhodiransomvar, Orange, and waza, is believed to have played a critical role in the development and deployment of the LockBit, Babuk, and Hive ransomware variants in June 2020. “Using tactics that include intimidation by threatening to leak confidential files, engaging in dishonest practices, and obstinately retaining files even after the victim has agreed to pay the ransom, they illustrate the ethical void that prevails in the practices of traditional extortion groups.”
Mataveev is reported to lead a team of six penetration testers to carry out the attacks: 777, bobr.kurwa, krbtgt, shokoladniy_zayac, WhyNot, and strangler. The group has a flat hierarchy, which promotes better cooperation between members. “Each person contributes resources and expertise as needed, demonstrating an amazing level of flexibility in adapting to new scenarios and situations,” said PRODAFT. Attacks orchestrated by Matveev and his team include using Zoominfo and services such as Censys, Shodan and FOFA to gather information about victims, relying on known security flaws and initial access brokers to gain a foothold to launch an attack. There are also tools for hacking VPN accounts, increasing privileges, and optimizing their campaigns.
“After gaining initial access, Wazawaka and his team first use PowerShell commands to launch Remote Monitoring and Management (RMM), which they prefer. In particular, MeshCentral stands out as a unique team toolkit that is often used as the best open source software for a variety of operations.” Zeus, which was liquidated in 2014, and Evil Corp.
It is worth noting that the extortion operation Babuk was renamed PayloadBIN in 2021, with the latter linked to Evil Corp, apparently in an attempt to circumvent the sanctions imposed on it by the US in December 2019. “This technical connection, combined with the known relationship between Wazavaka and notorious cybercriminal Bogachev, suggests deeper connections between Wazavaka, Bogachev and Evil Corp’s operations,” PRODAFT said.