Monti, a ransomware variant first identified in early 2022, was recently observed in an engagement by DAR’s threat intelligence team. While “Monti” does not appear on OFAC’s list of sanctioned groups and individuals, DAR was able to identify the likely involvement of a sanctioned individual, Mikhail Matveev (aka “Wazawaka”), in the attack.
Sanctions compliance, when applied to ransomware payments, is a fraught process: threat actors hide behind a cloak of anonymity, often for the express purpose of sanctions evasion1. When ransomware groups are sanctioned, those groups either dissolve, rebrand, or disappear; when individual threat actors are sanctioned, they often continue to operate within the ransomware economy.
Assessing the involvement of sanctioned threat actors, though uncertain and complicated, may be an important step in assessing the regulatory and reputational risks involved in making ransomware payments.
This report details how DAR’s investigation identified Matveev’s involvement, by (1) reviewing readily-available open-source intelligence (OSINT) connecting Monti and Matveev; (2) connecting the incident to prior human intelligence (HUMINT) about Matveev, and (3) confirming the connection with Law Enforcement (LE).
Mikhail Matveev, a Russian national, was sanctioned by OFAC in May, 2023 for “his role in launching cyberattacks against U.S. law enforcement, businesses, and critical infrastructure.”2
According to numerous open-source intelligence observations – including a direct interview with Matveev himself – Matveev has continued to attack companies as a member of several different ransomware groups.
DAR must be constantly vigilant to the possibility a ransomware payment it assists with may reach a sanctioned entity or jurisdiction. Threat intelligence is DAR’s main defense against this possibility; informed attribution precedes any transaction DAR participates in.
In a recent case, DAR was able to identify, with high confidence, a risk that a prospective payment to the “Monti” ransomware group would reach a sanctioned individual, Mikhail Matveev. Upon identifying the highly-likely attribution between Monti and Matveev, DAR flagged the risk for its client and did not make the prospective payment.
Mikhail Pavlovich Matveev – often known by his alias, "Wazawaka" – is a key figure in the ransomware world, notorious for his brazen personality, versatile technical skills, and association with multiple high-profile ransomware operations. Matveev's unapologetic embrace of his cybercriminal activities have made him both a target of law enforcement and a subject of fascination in the cybersecurity community. He has openly bragged about his exploits, taunted law enforcement agencies, and was an early advocate for “double extortion”, the public release of data stolen from victims who refuse to pay ransoms.
Matveev has been associated with a wide range of ransomware groups throughout his cybercriminal career. Some of the most notable groups he has been linked to include4:
Matveev's ability to operate within such a diverse network of ransomware groups highlights his deep knowledge of the cybercriminal underworld, his adaptability, and his sophisticated understanding of the ransomware-as-a-service model.
Attribution in cybercrime is complex. Identifying Mikhail Matveev in a ransomware attack requires a multifaceted approach, examining a combination of technical indicators, behavioral patterns, and known associations. Collaboration and the use of shared tools make it challenging to definitively link attacks to specific individuals.
While Matveev has worked with a wide range of ransomware groups, he and his team have demonstrated preferences for specific tools, tactics, and procedures (TTPs). Here are key indicators that DAR’s threat intelligence team uses to assess the possibility of Matveev's involvement:
In May 2023, the United States government initiated a series of actions against Mikhail Matveev for his alleged role in numerous ransomware attacks. These actions, coordinated across multiple agencies, aimed to disrupt Matveev's operations, hold him accountable for his crimes, and deter future cybercriminal activity:
The combination of criminal charges, a substantial reward offer, and financial sanctions aims to severely limit Matveev's ability to operate and serve as a deterrent to others involved in ransomware activities. In the context of a ransomware incident, the actions provide a clear prohibition against paying a ransom to Matveev.
The RaaS (Ransomware-as-a-Service) model – generally speaking – operates through a structured developer-affiliate relationship that defines roles, responsibilities, and profit-sharing arrangements. This split structure can be one of the most salient pieces of information during the process of threat actor attribution.
Ransomware software developers create software to host the command-and-control functions of a ransomware attack, maintain the ransomware payload that encrypt and exfiltrate victims’ data, and facilitate the decryption process if a payment is made. Developers’ motivation centers on creating reliable software, as failures in these processes discourage payments. Quality ransomware software that encrypts quickly and handles multiple file types without corruption is a valuable asset for affiliates conducting attacks, and how developers encourage their users – ransomware affiliates – to use their ransomware software over another group's.
Conversely, the users – “ransomware affiliates” – are the threat actors conducting attacks using the RaaS software from the developers. Typically there is a profit sharing model, where the affiliates take around 80% of a successful ransom, and the developer receives 20% for the use of that RaaS software. However, this profit sharing number is negotiable. Developers might offer "big" ransomware names – such as Matveev – a higher proportion of the ransom (90%/10%, for instance) if he uses their RaaS software over a competitors, knowing his past success rate will be more of a guarantee, and hoping they might gain more users through social capital.
DAR’s intelligence and OSINT research describes several tactics, techniques, and procedures (TTPs) commonly employed by the Monti ransomware group10:
On June 12, 2024, Monti’s TOR site announced that the project had been sold, putting some prior intelligence about the makeup of the RaaS program into question. DAR’s intelligence team finds no corroborating evidence of the claimed transaction, and treats the announcement with a high degree of skepticism. Monti’s uncertain ownership structure highlights the importance of case-by-case investigations into potential threat actor attribution.
On November 26, 2024 an announcement on the official Monti blog stated, “Publications postponed” - an indication that no further announcements of Monti’s victims would be made until further notice.
On November 29, 2024,This event is significant as it occurred only 3 days before the Russian state news announced Matveev’s arrest in Kallingrad13. On November 30, 2024, an independent security researcher reported that Matveev had posted bail and was released awaiting trial14.
DAR's attribution process relies on:
DAR identified Wazawaka's involvement in the Monti ransomware negotiations from the first interaction. His signature intimidation tactics and aggressive negotiation style during victim engagement provided clear attribution markers. Analysis of negotiation transcripts and initial contact interactions confirmed his presence through these unmistakable behavioral patterns.
Upon case intake, DAR received an image of the ransom note left on the victim’s systems. The threat actor identified themselves as part of the Monti group: The note was an exact match with prior Monti observations, beginning, “All your files are currently encrypted by MONTI strain. If you don’t know who we are - just “Google it.””15.
The note directed the victim to a non-repudiable TOR website which hosted the negotiation chat, and also to Monti’s data leak and shaming site, also a TOR site. Negotiations were conducted via the TOR website, a clear indication that the threat actor was indeed affiliated with Monti. DAR assisted the client with obtaining “proof of life” in the negotiation – evidence that the threat actor had exfiltrated data and could decrypt encrypted files.
DAR attributed the attack to Matveev because of his distinctive engagement style during ransom negotiations. These behavioral fingerprints are consistently observed and documented in Matveev’s involvement across multiple ransomware operations, making it a reliable identifier for attribution purposes. Matveev’s signature approach includes:
During negotiations, these behavioral tactics were quick to emerge. The victim was mocked for attempting to negotiate the amount of a prospective cryptocurrency payment. Despite ongoing communication between the victim and threat actor, the victim received an email threat from an anonymous @proton[.]me address, apparently to pressure for a faster resolution. Similar pressure was applied in the TOR chat panel.
The consistency and uniqueness of these patterns provides a high degree of confidence in attributing Monti operations to Matveev when these specific negotiation characteristics are present. When DAR’s attribution suggests the involvement of a sanctioned geography, entity, or individual, DAR consults the Federal Bureau of Investigation to be sure its findings match those of US Law Enforcement (as OFAC recommends)16 17.
Upon identifying Matveev’s behavioral patterns using Monti ransomware, bolstered by Prodaft's report tying Matveev as an affiliate to the Monti ransomware group, DAR escalated the case to the FBI field office assigned to Matveev. This step ensured proper sanctions compliance evaluation and maintained the necessary distinction between Monti as a RaaS platform and Matveev as a sanctioned affiliate.
Threat actor attribution extends beyond simple categorization of ransomware groups – such as Hive, Lockbit, Conti, etc. – as sanctioned or not. Sanctioned individuals like Matveev actively operate as affiliates across multiple platforms, including within non-sanctioned groups. A group-level sanctions assessment alone fails to identify the involvement of sanctioned individuals operating within technically "clean" platforms. Affiliate-level attribution addresses these inadequacies by evaluating all likely recipients of a prospective ransom payment.
The RaaS model splits responsibility between developers and affiliates, allowing sanctioned individuals to operate within non-sanctioned ransomware platforms. When sanctioned individuals like Matveev deploy ransomware through non-sanctioned groups, an affiliate-centric attribution process using available behavioral markers, technical indicators, and negotiation patterns can help identify their presence.
Attribution confidence increases when multiple technical and behavioral indicators align. The combination of specific tool preferences, communication patterns, and operational behaviors reduces uncertainty – both tactical (when engaging the threat actor) and regulatory (when contemplating the legal implications of different response options)s. Law enforcement verification provides an additional layer of confidence when evaluating potential sanctions risks.
Not necessarily. Matveev’s involvement in Monti remains unclear and it is possible that he is one of several affiliates of a development program in which he maintains no direct involvement.
Matthew Leidlein is President of Digital Asset Redemption, where he helps organizations respond to and recover from cybersecurity incidents. Drawing from over 20 years in financial markets, including 16 years as a Portfolio Manager at Archelon Group between Chicago and Zug, Switzerland, he now applies his expertise to cybercrime response.
1. See, for instance, “To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions” Mandiant Intelligence, June 2, 2022; https://cloud.google.com/blog/topics/threat-intelligence/unc2165-shifts-to-evade-sanctions.
2. “Treasury Sanctions Russian Ransomware Actor Complicit in Attacks on Police and U.S. Critical Infrastructure.” U.S. Department of the Treasury, May 16, 2023, https://home.treasury.gov/news/press-releases/jy0628.
3. Dina Temple-Raston. “A Q&A with Wazawaka: The FBI’s Cyber Most Wanted Says New Designation Won’t Affect His Work.” The Record from Recorded Future News, May 20, 2023, https://therecord.media/wazawaka-cyber-most-wanted-interview-click-here.
4. This section relies heavily on PRODAFT’s outstanding research into Matveev, “Smoke and Mirrors: Understanding the Workings of Wazawaka.” PRODAFT, December 5, 2023. https://25491742.fs1.hubspotusercontent-eu1.net/hubfs/25491742/WAZAWAKA_TLPCLEAR_Report.pdf.
5. “Ransomware Charges Unsealed Against Russian National.” United States Department of Justice, May 16, 2023. https://www.justice.gov/usao-dc/pr/ransomware-charges-unsealed-against-russian-national.
6. https://x.com/DarkWebInformer/status/1832594278687625219.
7. “Ransomware Charges Unsealed Against Russian National.” ibid.
8. “The Department of State Announces Reward Offer Against Russian Ransomware Actor.” United States Department of State, May 16, 2023. https://www.state.gov/the-department-of-state-announces-reward-offer-against-russian-ransomware-actor/.
9. “Treasury Sanctions Russian Ransomware Actor Complicit in Attacks on Police and U.S. Critical Infrastructure.” ibid.
10. This section relies heavily on PRODAFT’s outstanding research into Matveev, “Smoke and Mirrors: Understanding the Workings of Wazawaka.” ibid.
11. Morales, Nathaniel, and Joshua Paul Ignacio. “Monti Ransomware Unleashes a New Encryptor for Linux.” Trend Micro (US). https://www.trendmicro.com/en_us/research/24/l/monti-ransomware-unleashes-new-encryptor-for-linux.html.
12. “Monti Ransomware Sold! New Owners Hint at Future Plans.” Cybersecurity News , November 27, 2024. https://cybersecuritynews.com/monti-ransomware-sold.
13. "В Калининграде буду судить программиста, разыскиваемого ФБР" [“In Kaliningrad, a programmer wanted by the FBI will be tried”]. RIA Novosti, November 29, 2024. https://ria.ru/20241129/sud-1986456557.html.
14. https://x.com/club31337/status/1862985153183633466
15. Anuj Soni and Ryan Chapman, "The Curious Case of “Monti” Ransomware: A Real-World Doppelganger," BlackBerry Blog, 7 Sept. 2022, https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger.
16. U.S. Department of the Treasury, Office of Foreign Assets Control, "Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments" October 1, 2020. https://ofac.treasury.gov/recent-actions/20201001.
17. U.S. Department of the Treasury, Office of Foreign Assets Control, “Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments” September 21, 2021. https://ofac.treasury.gov/media/912981/download?inline.