189. MicDrop: Return to Wazawaka - Click Here

Summary6 min read

MicDrop: Return to Wazawaka - Episode 189 Summary

Introduction: Revisiting a Notorious Hacker

In Episode 189 of Click Here, titled MicDrop: Return to Wazawaka, Recorded Future News delves deep into the enigmatic world of Misha, also known by his aliases Wazawaka, Boris Elson, and M1X. This extended cut revisits a rare interview conducted in late 2023 with Misha shortly after his inclusion in the FBI's Cyber Most Wanted list. Host Dina Temple-Raston, alongside her team, unpacks Misha's activities, his interactions with other ransomware groups, and the broader implications of his actions on global cybersecurity.

Understanding the FBI's Cyber Most Wanted List

Dina begins by contextualizing the FBI’s Cyber Most Wanted list, drawing parallels to its historical counterparts like Al Capone and John Dillinger. She explains that this list categorizes individuals based on the severity of their cybercrimes, the nature of their attacks, and their ongoing threat to society. The list comprises various categories, including fugitives, kidnappers, and, more recently, cybercriminals who have caused significant digital havoc.

Notable Quote:

"The FBI's most wanted list is the stuff of legend... Society and the FBI has to make a calculation whether all the publicity that comes with the FBI's most wanted will help the Bureau bring them to justice."
— Dina Temple-Raston [00:03]

Profile of Misha (Wazawaka)

Misha stands out as the latest addition to this elite list. Originating from Russia, he has been implicated in numerous ransomware attacks targeting diverse entities, including hospitals, municipalities, and businesses across the United States. Despite allegations of his involvement with high-profile ransomware groups like Lockbit, Babuk, and Hive, Misha maintains that he operates as an affiliate rather than a leader within these organizations.

Notable Quotes:

"I just want to say this, the money that the DOJ attributes to, I have never seen such amounts. I don't have this money. Where did they get those numbers from? I am interested."
— Misha (Wazawaka) [03:35]

"Journalists exaggerate more than make mistakes, but there are mistakes... Hive and Lockpit, they made me look like a co-owner of."
— Misha (Wazawaka) [05:54]

Inside the Ransomware Underworld

Through Misha’s insights, the podcast sheds light on the operational dynamics of ransomware groups. He praises Conti, a Russian-language ransomware group, highlighting its structured and business-like approach. Conti's notable attack on the Costa Rican government, which involved stealing 850 gigabytes of data and making exorbitant ransom demands, exemplifies the sophistication and audacity of such groups.

Notable Quotes:

"Conti was very well structured."
— Misha (Wazawaka) [06:29]

"Conti was run like a real world business and they profited from that."
— Misha (Wazawaka) [07:06]

Although Conti publicly disbanded following the Russian invasion of Ukraine and leaked internal communications, Misha asserts that the group remains active, albeit less visible in the current cyber landscape.

The Prospect Park Attack: A Case Study

One of the pivotal discussions revolves around the Prospect Park ransomware attack in New Jersey during the summer of 2020. Led by the Lockbit G. group, the attack crippled the town's computer systems by altering file extensions to .lockbit without leaving a ransom note, creating confusion and operational paralysis.

Key Points:

Impact on Local Governance: Walter Richmond, the officer in charge of Prospect Park, recounts how the attack prevented access to essential files, disrupting daily operations.

Notable Quote:

"I noticed that all of our files on our server were of the lock bit variant. They were changed... but there was no ransom note."
— Walter Richmond [08:26]
Misha’s Alleged Role: The Department of Justice linked Misha to this attack, alleging his participation in the conspiracy to lock up Prospect Park’s computers. However, Misha denies direct involvement, claiming he merely uploaded existing stolen data to validate the breach.

Notable Quote:

"It was not me. It was other people. I just uploaded the data because I thought I needed to upload it."
— Misha (Wazawaka) [10:45]

Broader Implications: The Threat of Escalated Cyberattacks

The discussion broadens to consider the potential for more severe and widespread ransomware attacks. Referencing a recent assault on Dallas, wherein the city’s courts were shut down for weeks, Dina emphasizes the growing trend of cyberattacks disrupting critical municipal functions. Analysts warn that individuals like Misha, with their extensive connections and operational knowledge, could facilitate larger-scale disruptions reminiscent of the Dallas incident.

Notable Quote:

"The concern is that attacks with this kind of impact become the new norm and that people like Misha could help make more attacks like that happen."
— Dina Temple-Raston [11:51]

Tracking Misha: The Thin Digital Line

A significant portion of the episode focuses on Azim Kojibayev, a senior analyst at Cisco Talos, who has been tracking Misha for years. Azim details his methodology in identifying Misha through minimal digital footprints, such as a misplaced username and name in an old forum post, which he correlated with Misha’s resume and activities.

Key Points:

Building the Case: Azim’s persistence led to establishing communication with Misha, who reacted with curiosity and eventual cordiality, intriguing Azim further.

Notable Quote:

"He did not deny it. His response was actually very jovial, inquisitive as to how I found out... one of the biggest icebreakers I've ever had."
— Azim Kojibayev [13:50]
Misha’s Recent Behavior: Despite being labeled as Most Wanted, Misha continues his activities unabated. He sends voice memos amidst everyday activities, such as listening to Rihanna or riding motorcycles, inadvertently revealing his whereabouts and appearance through these unguarded moments.

Notable Quote:

"I want to take Russian information technologies to the next level... teach Russian youth about cybersecurity to protect them from the prying eyes of the CIA and the FBI."
— Misha (Wazawaka) [18:31]

Misha’s Defiance and Future Plans

In a defiant stance against international law enforcement, Misha articulates his vision to advance Russian information technologies independently of Western influence. He aspires to educate Russian youth on cyber hygiene, positioning himself as a protector against Western espionage efforts.

Notable Quotes:

"I want to show that in Russia it is still alive and well. You don't need to go to the United States to make money... to study."
— Misha (Wazawaka) [18:31]

"I also have this idea of organizing a project to teach children cyber hygiene to protect them from attacks of all sorts from CIA, FBI, who recruits our citizens."
— Misha (Wazawaka) [18:57]

Conclusion: The Ongoing Pursuit

As the episode concludes, Dina reflects on the relentless pursuit by the FBI and the challenges posed by cybercriminals like Misha. The combination of sophisticated tactics, extensive networks, and brazen public behavior makes Misha a formidable figure in the cyber underworld. The episode underscores the evolving nature of cyber threats and the imperative for robust international cooperation to combat such elusive adversaries.

Closing Quote:

"You coming after me? I'm coming after you."
— Misha (Wazawaka) [19:15]

Takeaways

Complexity of Cybercrime: Misha’s case exemplifies the intricate web of alliances and operations within the cybercriminal ecosystem.
Impact on Public Institutions: Ransomware attacks on municipalities highlight vulnerabilities in critical infrastructure.
Challenges in Tracking Cybercriminals: Minimal digital footprints can both hinder and inadvertently aid in tracking individuals like Misha.
Future of Cybersecurity: The persistence and adaptability of hackers necessitate continuous advancements in cybersecurity measures and law enforcement strategies.

This comprehensive summary encapsulates the key discussions and insights from Click Here’s episode on Misha (Wazawaka), offering listeners a thorough understanding of the intricate challenges posed by modern cybercriminals.

Loading summary

Transcript74 lines

[00:03]
Dina Temple Raston
From Recorded Future News and prx, this is Click Here. Hey, it's Dina. The Click Here team is taking a break from producing brand new episodes this month so we can get ahead on some reporting for 2025. Usually on Fridays, we offer you a mic drop an extra long cut of our favorite interview of the week. This week we thought we'd dig up something from the archives. A rare interview. We landed with a hacker named Wazawaka. Allegedly Russian authorities arrested him late last week for his ransomware activities and the arrest appears to have been short lived. He was on social media seemingly once again a free man just a short time later. We spoke to him in late 2023, not long after the FBI had added him to America's Cyber Most Wanted list. And at the time he told us being a Most Wanted wouldn't slow him down. Take a listen. The FBI's most wanted list is the stuff of legend. Back in the old days, it included gangsters like Al Capone or bank robbers like John Dillinger. Even Bonnie and Clyde, the murderous lovers who went on a three year crime spree in the 1930s before they were eventually gunned down in their car by law enforcement.
[01:34]
Misha (Wazawaka)
Here is Clyde Barrow and Bonnie Parker.
[01:37]
Dina Temple Raston
Who died as they lived by the gun. To get that Most wanted Public enemy number one designation, the person needs to be a danger to society. Society and the FBI has to make a calculation whether all the publicity that comes with the FBI's most wanted will help the Bureau bring them to justice. What may be less well known is that the FBI has a bunch of different kinds of Most Wanted lists. There's one for fugitives, one for kidnappers, and somewhat recently one for the world's most wanted hackerspeople who have wreaked havoc from behind a keyboard.
[02:14]
Azim Kojibayev
The actors named in this indictment were members of a hacking group operated in.
[02:19]
Dina Temple Raston
China, involved hacking into computers of hospitals.
[02:22]
Walter Richmond
Municipalities, public institutions and businesses in the United States.
[02:27]
Dina Temple Raston
And. And the people in the FBI Cyber Most Wanted seemed to fall into a couple of categories. Iranian hackers with first names like Amir and Ahmad, North Koreans with last names like park and Kim, and Chinese hackers, many of whom appear to be in military uniform. And the newest inductee, he's Russian. His first name is Misha, but he's better known by his screen names, Wazowaka or Boris Elson or M1X. And he was put on the list just a few weeks ago.
[02:57]
Azim Kojibayev
We are following new developments this morning and an apparent hack affecting D.C. police's computer network, health care provider, school systems, all targets of a Russian national.
[03:06]
Dina Temple Raston
The Justice Department is putting a bounty on his head to the tune of he's worked with some of the most notorious cyber criminals in the world. And the Department of Justice claims the groups he's worked with have raked in hundreds of millions of dollars by stealing data and then holding it for ransom. And we tracked down this most wanted hacker thought to be living in Russia, and we convinced him to talk. And he has a lot to say about his inclusion on that FBI list.
[03:35]
Misha (Wazawaka)
I just want to say this, the money that the DOJ attributes to, I have never seen such amounts. I don't have this money. Where did they get those numbers from? I am interested.
[03:53]
Dina Temple Raston
From Recorded Future News. I'm Dina Temple Raston and this is Click Here's Mic Drop, an extended cut of an interview we did that we think you might want to hear a little more of today, a conversation with one of America's most cyber wanted. Stay with us.
[04:18]
Tim Harford
Do nice guys really finish last? I'm Tim Harford, host of the Cautionary Tales podcast and I'm exploring that very question. Join me for my new miniseries on the art of fairness. From New York to Tahiti, we'll examine villains undone by their villainy, monstrous self devouring egos, and accounts of the extraordinary power of decency. Listen on the iHeartRadio app, Apple Podcasts or wherever you listen to podcasts.
[04:50]
Dina Temple Raston
I'm Dina Temple Rest, and this is Click. Here's Mike Draw. The FBI's Cyber Most Wanted started about 10 years ago and the criteria to be included is pretty straightforward. It depends on the seriousness of the hacking crimes, the kinds of attacks they've committed in the past, and whether they continue to pose a serious threat. Misha seems to have made the cut largely because of the people he hangs out with. He's been an affiliate, which is a kind of contractor to three infamous ransomware hacking crews, namely Lockbit, Babuk and Hive. Though when we asked him about them, he started out by not wanting to talk about it. We spoke to him through a translate.
[05:37]
Misha (Wazawaka)
I have discussed this many times and there is no reason to repeat it.
[05:42]
Dina Temple Raston
But then he went on to discuss them at great length. He says a lot of people have accused him of running some of these ransomware gangs, but actually that's not right. He says he just works with them.
[05:55]
Misha (Wazawaka)
Journalists exaggerate more than make mistakes, but there are mistakes. For example, Hive and Lockpit, they made me look like a co owner of.
[06:05]
Dina Temple Raston
This, which he says he isn't. But even if he isn't running these groups because he's worked with so many of them, he's a wealth of information about how they operate. For example, he says he thinks the best run ransomware operation is a Russian language one called Conti.
[06:29]
Misha (Wazawaka)
Conti was very well structured.
[06:31]
Dina Temple Raston
You've probably heard about some of their attacks. Conti targeted the Costa Rican government last year and stole some 850 gigabytes of data from the Finance Ministry.
[06:41]
Azim Kojibayev
Late today, we learned that Costa Rica has declared a state of emergency after a ransomware attack.
[06:50]
Dina Temple Raston
The group made a ransom demand and then just locked up the Financial Ministry's systems for weeks.
[06:55]
Azim Kojibayev
They doubled their ransom demand from $10 million to $20 million.
[07:00]
Dina Temple Raston
They can do things like that, Misha said, because they are so well run.
[07:07]
Misha (Wazawaka)
It was run like a real world business and they profited from that. Lockpit, or rival, claimed others work and boasted about other people's work. That's why they lost their way. You will not find anything bad written about Kanci. They keep all their business promises. The product is well built.
[07:28]
Dina Temple Raston
Conti broke up shortly after the Russian invasion of Ukraine. Its leaders said they were going to support Russia in the war. And then in response, someone leaked their chats and revealed a bunch of their internal operations and secrets. After that, Conte appeared to just shut down, walk away. But Misha says that's not true. Conti's still around.
[07:51]
Misha (Wazawaka)
They still exist, but we don't see them. The way the market is set up now, you don't see real groups. You only see the hype.
[08:01]
Dina Temple Raston
The danger of someone like Misha, who isn't running a hacking operation, but is only too happy to lend a hand to those who do, is that he doesn't care much who gets targeted. It could be the government of Costa Rica one day in a small working class town in the US the next. Just ask Prospect Park, New Jersey.
[08:20]
Unknown
It's a small town. We're about just under like a square mile.
[08:23]
Dina Temple Raston
This is Walter Richmond. He's the officer in charge of Prospect Park.
[08:27]
Unknown
We border the city of Paterson, which is one of the major cities in New Jersey. Actually, many of our streets we share with Patterson. Half of the street will be ours, half of it will be city of Patterson's.
[08:39]
Dina Temple Raston
And this little town back in the summer of 2020 was attacked by the Lockbit G. Walter was one of the first to realize what Misha and his buddies had allegedly done.
[08:53]
Unknown
I came in in the morning and our police clerk had alerted us that she couldn't access any of the files she was trying to scan into her, you know, her clerical duties. And she couldn't access any of the files.
[09:05]
Dina Temple Raston
So he went over to her computer and his heart sank.
[09:11]
Unknown
I noticed that all of our files on our server were of the lock bit variant. They were changed. So we obviously have Word documents, usually your normal PDF style documents, Excel, things like that, et cetera. But they were all now lock bit as the file type.
[09:27]
Dina Temple Raston
So, like the extension on the file, instead of saying txt or whatever it was, it would say lockbit?
[09:34]
Unknown
Yes. So the extension of the files were all changed to lock bit.
[09:38]
Dina Temple Raston
Walter called the company that was running the city's IT operations and asked what he should do.
[09:43]
Unknown
And he immediately said, you know, do not log into any computers. Tell everyone to not touch any of their, you know, desktops or laptops, in their vehicles, the police cars.
[09:53]
Dina Temple Raston
But here's the strange thing. Walter said there was no ransom note.
[09:57]
Unknown
You know, no one reached out requesting a ransom or any, you know, the usual type of, you know, activity.
[10:03]
Dina Temple Raston
Attacks like these can be terrifying. A city like Prospect park wouldn't expect to be a target of someone as notorious as Misha. But in an indictment released the day Misha became a cybermoves wanted, the Justice Department claimed that he played a role in the Prospect park attack. They said he was part of a conspiracy to lock up their computers. Why do you think he went after you guys?
[10:25]
Unknown
I'm not sure. That's a really good question.
[10:28]
Dina Temple Raston
Cybersecurity experts will tell you that hackers are targeting places like Prospect park because they're low hanging fruit. Cities typically don't have lots of money to spend on it security teams. Misha, for his part, told us he wasn't involved.
[10:46]
Misha (Wazawaka)
It was not me. It was other people. I just uploaded the data because I thought I needed to upload it.
[10:54]
Dina Temple Raston
The information was available, he said. So he just grabbed it to prove that they really had the data.
[11:03]
Misha (Wazawaka)
You see, a lot of Western cybersecurity companies thinks a lot of ransomware groups lie. I uploaded the data to prove that it really had been stolen and it wasn't a hoax.
[11:16]
Dina Temple Raston
While the Prospect park attack was relatively small ball, Misha's work with all these groups has authorities worried that he will eventually be involved in a big one. A ransomware attack that stops the city in its tracks. Some version of what happened in Dallas earlier this month.
[11:35]
Azim Kojibayev
More fallout tonight from a ransomware attack on the city of Dallas. The cyber attack has now closed the municipal courts building and renewed concerns about the possible leak of city employees personal data.
[11:52]
Dina Temple Raston
It's unclear whether the ransomware group that locked up the Dallas City system. A crew called Royal actually stole the city's data. But the mere fact that they have locked up some of the Dallas computer systems has had real world consequences. Dallas officials say there will be no hearings, no trials, and no jury duty until they're back online. And they say that'll be at the end of the month. So the courts have been closed for weeks. The concern is that attacks with this kind of impact become the new norm and that people like Misha could help make more attacks like that happen. Which helps explain why the FBI is pulling out all the stops in a ton for him. But actually, we found someone who was able to locate Misha, even identify him, and he's been interacting with him for years now. Stay with us. Azim Kojibayev started tracking Misha a few years ago. He's a senior analyst at a threat intelligence firm called Cisco Talos.
[13:03]
Azim Kojibayev
So one of my research skills is to really deep dive into the human presence on the Internet for individuals.
[13:13]
Dina Temple Raston
And it turns out Misha had inadvertently left little digital footprints on the Web, things he'd probably forgotten about. And Azim discovered them.
[13:23]
Azim Kojibayev
They made a small mistake in posting their both username and name in a very random forum post a very long time ago.
[13:33]
Dina Temple Raston
Azim put that little piece of information together with other things he'd found.
[13:38]
Azim Kojibayev
And then ultimately, that same name was matched to a resume that indicated and matched a lot of this person's activities.
[13:51]
Dina Temple Raston
So when Misha reached out to him, Azim responded by saying he knew who he was.
[13:56]
Azim Kojibayev
He did not deny it. His response was actually very jovial, inquisitive as to how I found out. But because of that, it was, in my experience, one of the biggest icebreakers I've ever had.
[14:16]
Dina Temple Raston
Actually, your relationship with him was sort of born out of begrudged mutual respect.
[14:21]
Azim Kojibayev
Yes, and it continues to be that way. It seems he has recently has gone from a very negative attitude towards me to being somewhat cordial and even nice at times, complimenting me one way or the other, which I found that personally to be a little weird.
[14:48]
Dina Temple Raston
A producer on our team spent weeks chasing Mischa, and he eventually convinced him to talk to us just a few days after he was added to the FBI's most wanted hacker list. And Misha seemed to be taking his new notoriety in stride.
[15:07]
Misha (Wazawaka)
I was not surprised. I understood it was going to happen.
[15:15]
Dina Temple Raston
We worked out a system with him where we'd text him questions in Russian and then he'd respond to us with voice memos. And we didn't exactly have his full attention it sounded like he was running errands while he was talking to us. Like, at one point, we could hear Rihanna music playing in the background. At another moment, we could hear motorcycles rumbling past, like he was on the street walking home. And that's the weird thing about Misha. While he's being hunted by the FBI, he seems to spend a lot of time doing things that make it pretty easy to find it, like sending us those voice memos or posting drunk videos on social media, which, in addition to giving clues about where he is, shows law enforcement exactly what he looks like. In fact, one of his pictures on the Most Wanted list is pulled from one of those videos. Misha kind of looks like he sounds.
[16:26]
Misha (Wazawaka)
Oh, shit, man, my workflow.
[16:29]
Dina Temple Raston
He looks straight out of hacker central casting, like one of those guys in the bar who makes you instinctively move a couple of stools away just so you can avoid any drunken interaction. And he's always calling out cybersecurity analysts on social media, goading them. In this clip, he's boasting about all the things they'd learn if only they could get their hands on his laptop, which he drunkenly hits with his hand.
[16:57]
Misha (Wazawaka)
And all data security professionals in the usa. Would you like to see something outstanding and more interesting that you have ever seen before? That's my working laptop.
[17:12]
Dina Temple Raston
But Misha doesn't seem to worry that the FBI might be taking those videos or our voice memos and piecing them together to try to locate him. Are those the kinds of clues that you look for?
[17:23]
Azim Kojibayev
To answer your question, I do look for those kinds of clues all the time.
[17:27]
Dina Temple Raston
This is Azim from Cisco Talus.
[17:29]
Azim Kojibayev
Again, he shares a lot of those kind of clues one way or the other. I don't particularly think he cares that he does that he's been pretty open, for example, about where he's been living in recent videos. I think even within this year, perhaps, or within the last year and a half, he has claimed to be residing or traveling to the Russian enclave of Kaliningrad, which is surrounded by Poland and.
[18:01]
Dina Temple Raston
Latvia, which actually isn't as much of a help for the FBI as it sounds. Russia doesn't hand over its cybercriminals. It's actually thought to encourage their overseas hacks, which may be why Misha doesn't seem to care that he's dropping all these clues. He's given no signs of slowing down now that he's on the FBI's Most Wanted. In fact, he says he's cooking up some new plants, which in a way, ironically, have something to do with the FBI.
[18:31]
Misha (Wazawaka)
I want to show that it in Russia is still alive and well. You don't need to go to the United States to make money. You don't need to go to the United States to study. I want to take Russian information technologies to the next level.
[18:47]
Dina Temple Raston
Misha says he wants to help teach Russia's youth about cybersecurity to protect them from the prying eyes of the CIA and the FBI.
[18:57]
Misha (Wazawaka)
I also have this idea of organizing a project to teach children cyber hygiene to protect them from attacks of all sorts from CIA, FBI, who recruits our citizens. This is open information. They're talking about it themselves. No one does that in our country.
[19:16]
Dina Temple Raston
You coming after me? He seems to say to the FBI, I'm coming after you. From Recorded Future News, this has been Click Here's Mic Drop. It was written and produced by Sean Powers and me, Deana Temple Raston, and it was edited by car. We'll be back on Tuesday. Have a great weekend.
[19:51]
Walter Richmond
Looking for more of the cybersecurity and intelligence coverage you get on Click Here, then check out our sister publication, the Record. From Recorded Future News, you'll get breaking cyber news from reporters in New York, Washington, London and Kiev, among others. And you'll see for yourself why it attracts hundreds of thousands of page views every month. Just go to therecord Media.