Wazawaka reacted almost immediately to the deanonymization, publishing there are several videos on the accounts associated with it. In them, Matveev, actively using profanity, praised Krebs for the investigation and made it clear that he plans to continue attacking American companies, and also showed a tattoo below the elbow on his right hand and a missing ring finger on his left.
You come here to me, have a market with me. I declare war on the USA. And I want to say that you are all [люди нетрадиционной сексуальной ориентации]
Mikhail Matveev
Russian hacker
The partners tried to create a new Babuk blog since the Tor domain was mine. But I didn’t let them do it, and the affiliate program fell apart. Hacking the police department was the last straw in the collapse of this affiliate program, although many different situations led to this. For example, there was a huge bug in the decryptor for ESXi hypervisors [VMware ESXi — это гипервизор корпоративного класса, тип 1, разработанный VMware для развертывания и обслуживания виртуальных компьютеров]. He simply zeroed out the output from the disks, and we destroyed the data of at least two companies. We took money from them for the decryptor, but they were unable to decrypt their data. Basically, we fooled them.
DS: Then came the RAMP forum [примечание редактора: RAMP — криминальный подпольный форум, на котором операторы программ-вымогателей и их аффилированные лица рекламируют свою продукцию]. Why did you create it and why did you pass it on to others?
MM: I created a RAMP to use the Babuk onion domain. Fortunately, Babuk had a huge amount of traffic. And so the idea to create the RAMP forum was born. When the forum became popular, I realized that I didn’t want to do it, because it brings absolutely no profit. It only incurred costs. Persistent distributed denial of service (DDoS) attacks. It all came down to rewriting the engine from scratch and spending a lot of money on it.
Then some sketchy things began there, and everyone had to be checked. I thought to myself, God, why did I sign up for this? It was there on the forum that I met Kajit. I said to Kajit: “Hey, be a moderator, check everyone, and I will give you money.” That’s how the forum actually fell into the hands of Khajiit. After that, all sorts of problems happened in my life. I hit the bottle hard and didn’t have time for the forum at all, so I gave the forum to Khajiit. Then a series of strange events happened when they started writing affiliate programs for me. They said, “What the hell are you doing, animal? Screenshots of our panels have been leaked.” I was ashamed of the whole situation. I went to the forums and opened a private complaint against Kajit on behalf of Boris. At that time, we communicated very well with LockBit support. He seemed to me a normal guy, and I pulled him up in these negotiations. Khajiit said that he would not be banned and would not share the forum with anyone. Damage Forum Administrator [XSS] suggested to Kajit that he give the forum to someone else, and as far as I know, Stallman got it. The RAMP forum still exists, but I don’t go there, and I didn’t have much contact with Stallman.
DS: How often do people from different affiliate programs compete on the same network to extort money from victims? Have you had such situations?
MM: This happens frequently. Especially when several people own the exploit, or upload logs from the same traffic market when it comes to extracting initial access credentials using a stealer. I took some source codes, so-called proof-of-concept, from GitHub and modified them. If you remember, there was a known CVE for Fortinet VPN. Found at one programmer from the forum. Based on the list of IP addresses, we got approximately 48,000 entry points. I was very surprised then, really shocked. But we have not worked out even 3% of this list. Not enough time.
And when others – let’s say, our competitors – began to use this vulnerability, intersections began to cross the networks. I often went into networks already blocked by someone and did not touch them, because it was not my job to encrypt the second time, but some guys dispersed the networks. They go in and see that it’s encrypted, and to prevent anyone from getting it, they encrypted it again. There were cases when the guys and I just crossed paths during development, exchanged contacts and somehow discussed what to do next. We basically always agreed.
And it even happened that we then jointly did some other projects. This is happening all the time in the summer of 2022 because everyone is hungry for material. How can we get initial access? Actually, there are not many options. There are vulnerabilities such as RCE in various VPN device products, anything that can give access to the network. Or network access login from stealers. But basically now everyone is flooded with traffic exchanges and there is little unique traffic. And those who have it just for themselves or are already working in some teams, so it’s absolutely normal that there is a conflict of interest in the networks and now there will be even more of it.
DS: Tell me about some of the attacks that you especially remember. Which one was the fastest? How long did it take from the first penetration into the network to the receipt of payment?
MM: Dmitry, I would single out several such attacks… Yes, there were quite a few interesting ones. I would like to sum up before talking about the attacks. There are small networks, there are medium networks and there are very large networks. And let me tell you, it’s much easier to work with a $1 billion organization’s network than it is with a $9 million organization’s network. I’ll tell you why. There are many more computers that are easier to hide on and easier to navigate than a small network where you are limited. You must move very fast. And when I started my career, I started with BlueKeep, a vulnerability in Microsoft Remote Desktop. I was hacking five small networks a day because I had to go and do it right now. But as I progressed, the time I spent on hacks increased.
Let’s get started, shall we? My longest development… Everyone has probably heard of Capcom. I got there through Fortinet vulnerability. In fact, when I went there, I was a little surprised that everything there was in Japanese. There is no hierarchy, there is no division into departments, and everything is in a heap. I found a dead domain administrator. This is how the name Babuk appeared. Capcom had an admin Babak, or bamboo. And when I found this administrator, I realized that no one uses him, but he was of the corporate type.
In general, I described the attack on Capcom very well in Boris Yeltsin’s article “You think I won’t outplay you.” Well, there were a few interesting points that I missed that I would like to highlight in this interview. In those days, I had a very close conversation with the notorious “Unknown”, who told me to come to their group, and if I put a capp on them, he would connect me with some unreal mega people. And everything in my life will be “chiki bomboni” [прим. ред.: это дословный перевод — непонятно, что он имеет в виду]. But thank God, everything went wrong, because, probably, I would not be here now. I wouldn’t give you this interview. Their product at the time was terrible – GandCrab has a level. They didn’t want to do anything about it, and he told me personally, “They’re paying us anyway because they’re afraid.” Well, in those days it was. If you remember, lalartu, such a character who simply, without looking for a backup, without looking for everything in a row, launched a build on all networks and collected money. I myself saw his reports and panels, and I was surprised how a person can do this. Then almost everyone was paid, especially REvil. They had huge incomes.
Well, I explained to the notorious Unknown: “Here, dear man. You have some holes, some bugs in the product. Yes, I didn’t lock it up. [зашифровал], I kind of screwed up there. To which he promised to fix everything. I waited a long time, probably a month and a half passed from owning a domain controller to the very blocking. It was the longest attack ever. So, in fact, before I wanted to lock Capcom, I wrote to him again: “Well, is everything working?” He says: “Yes, yes, everything works.” And I made a build and tested it in a small network, as far as I remember. It was some kind of municipality, and at least they paid a penny, but I didn’t like it. I wrote to Unknown about my dissatisfaction.
Everything will be fine, he said, turn around. At the same time, I was in very close contact with one of Ragnar’s affiliates. He lived abroad. By the way, perhaps he is already in prison there, because he was definitely abroad. Well, we all somehow quickly talked and agreed, everyone at Capcom quickly done. Ah, the next morning Unknown texts me, like, what the fuck. I said bro, I’m sorry, no offense, I warned you. He got offended with me, blocked me and walked away, as a child would do when you take away a toy. The boys told me that he wants to find me in real life. Unknown loved to do it, loved to play hard and play bandits. They were too noisy, probably like me now, at a time when it was not necessary to be so noisy.
The fastest attack of my life happened as soon as I got ProxyLogon vulnerability. At that time, I had a programmer on a grant who was finalizing the exploit. One of the interesting networks was logistics company in the Netherlands. Large warehouse. very large warehouse. I got on a tour of the server. Here I immediately received domain administrator tokens. Well, these guys weren’t scared or worried at all. I remember I went there at 20:00 Moscow time, and around 4:00 Moscow time everything was already locked there. From 6 in the morning, the administrator wrote to us in a panic, to which I told him, bro, wait for the supervisor.
So let’s go step by step. Looking on the net, everything seems to be simple and clear. They have an admin domain for us. There was one password for everything, on hypervisors, on a backup server in a workgroup. After analyzing the network, I found a WIM backup system. I was able to get all the passwords out of it and thus got all the backups, although their backups were so bad. They just backed up to the NAS [сетевое хранилище]. I went to the NAS and formatted it. I went to ESXi, encrypted it, and there, about an hour later, he wrote to us.
Exactly at midnight, the admin wrote: “I want to resolve the issue.” I said that the issue could not be resolved because he was not the boss. In the morning I had to fly to another city. I remember sitting at the airport, the company writes to me: $ 2 million. Transfer of 2 million dollars. I have never had such an amount in my wallet. Of course, in such surprise and excitement, I get on the plane, realizing that I have a fucking laptop with 2 million dollars. Well, I gave them the transcripts, and when I arrived, I opened the chat. Damn, something is wrong there, they just yell: You destroyed the VMDK [VMDK — это формат файла, который описывает контейнеры для виртуальных жестких дисков, которые будут использоваться в виртуальных машинах, таких как VMware Workstation или VirtualBox]. I tried to figure it out and asked for VMDK samples. And they just weigh zero KB. Well, everyone is fucked up. Who had cancer. How so? He says: well, I don’t know, he says something is broken. And they asked for a refund. Well, we had no choice but to block them. We cheated them out of this money. I still blame myself for this. It was the fastest and most cost effective attack I have ever carried out.
DS: How do you access networks?
MM: I got everything from github. As they say, made of shit and sticks. The first interesting exploit was Fortinet, and then a very old vulnerability in the SharePoint application. Then there was SonicWall. In general, I always tried to get initial access with RCE [удаленное выполнение кода]. I’ve tried buying logs from the RedLine thieves. But the best entry point is given by RCE.
Unfortunately, Windows directories are arranged in such a way that, being inside directories, the network unfolds like dominoes. In fact, nothing complicated, Windows will help you. Fuck me dude. I spread my legs in front of you. I never bought anything. I will repeat once again. Everything was made of shit and sticks. Everything is earned just like that. All that is being described in the media is that we are a super extortionist group, super mega cool dudes, of which there are many. No, absolutely all ordinary guys, mostly working alone.
DS: How do you get ahead of the defenders? Or are they so slow that it doesn’t matter?
MM: Everything is very simple here. Cybersecurity specialists, none of them have ever been a real target. It’s like shooting at range with a gun. You seem to shoot and hit the target, but if you are given a machine gun and thrown onto the battlefield, then there will also be many factors that will prevent you from hitting the target – inner fear, and other feelings.
These are living people. Therefore, since they have never been in combat, they have never tested these networks in combat. That is why we are one step ahead. They think differently. They think theoretically. In theory, there are entire teams and APT communities that attack certain networks. So I’ll put it this way: if all of the ransomware groups suddenly became cybersecurity specialists, and those who are now cybersecurity specialists started pentesting networks, ransomware would be over.
DS: Where do you see the ransomware industry in three years? Will ransomware continue to be the best monetization model for cybercriminals, or will they switch to something else?
MM: It’s like carding was once popular and there was a lot of money in it, but now it’s dead. And extortionists will die soon – not in three years, but sooner. Literally everything has changed in the last six months. Since the beginning of the special operation in Ukraine, almost everyone has refused to pay. I often encountered people who wrote to me in a chat: “You are a Russian occupier. Be content with $10k. And we won’t give you more. At least take this. Conversion [или рентабельность инвестиций] dropped completely in the last six months. All in all, it was hard work.
If he dies, he dies. You need to come up with something new. But ransomware is worse than heroin. I haven’t tried it, but I’ve seen people on it, and I’ll tell you what: ransomware is worse than drug addiction. Nowhere is there such money as in extortionists. I even compared him to Hydra drug dealers. [крупнейший в мире даркнет-маркетплейс, который был закрыт в этом году]. They earn less than us.
But at the moment, ransomware remains the leader in terms of monetization. There are no other schemes on the Internet that would bring great monetization. Or I don’t know about them yet.
DS: How has the war in Ukraine affected the spread of ransomware and cybercrime in general?
MM: I will not call it a war in Ukraine, I will call it a special operation. I hope you understand. This has had a huge impact. I had many friends from Ukraine. From my entire list of Ukrainian contacts, only one or two people communicate with me at the moment. The rest all left. They call me an occupier.
It’s terrible, the industry has reorganized. I don’t know if a special operation would have started, but as far as we all know, Russia has begun to slowly cooperate with the United States regarding cybercrime. I crap myself and then I was very afraid, I drank a lot. I re-read our Constitution and realized that they would leave me in Russia, but it was scary [прим. ред.: у России нет договора об экстрадиции с США]. I had already forgotten about the money, and then the special operation began. I was damn happy. Although you know that it is stupid to talk about it, because citizens of Ukraine will also read my interview, and someone’s father or their child could die. I began to rejoice, you know, with impunity. But, if not for the special operation,
DS: Have you been offered jobs in certain government services? If so, which ones?
MM: You probably want to hear some secrets, but there are no secrets at all. I was even surprised that in the entire history of my career since 2011, no one has come to me. Neither the FSB, nor the Ministry of Internal Affairs. I just lived a normal life.
I don’t even understand when I read on the forums that the FSB came to some guy and forced him to work. It seems to me that they are all lying, and they themselves went to the FSB to ask for a job – but I don’t know how it works. The structure of the FSB is very secret. Unlike the Americans, the FSB does not post portraits on its website to say: look, I’m watching Most Wanted Cyber. I don’t understand what the Americans want to achieve. I do not know anything about the work of the FSB of the Russian Federation. For me, this is a dark horse. I might even be glad to cross paths with them, but no, it’s not necessary.
DS: Tell me a secret. Between the FSB and the FBI, who scares you the most?
MM: What worries me the most? If these two structures start cooperating with each other, then I’m fucked up, at least three life terms.