Law enforcement authorities in Ukraine and Germany have identified two Ukrainian nationals suspected of working for the Russia-linked ransomware-as-a-service (RaaS) group Black Basta.
Additionally, authorities noted that the group’s alleged leader, 35-year-old Russian Oleg Evgenievich Nefedov (Нефедов Олег Евгеньевич), has been added to the European Union’s Most Wanted List and Interpol’s Red Notice List.
“According to the investigation, the suspects specialized in technical hacking of protected systems and were involved in preparing cyber attacks using ransomware,” the Ukrainian Cyber Police said in a statement.
According to the agency, the suspects operated as “hash crackers” who specialized in extracting passwords from information systems using special software. Once the credentials were obtained, members of the ransomware group infiltrated the corporate network, ultimately deploying the ransomware and extorting money to recover the encrypted information.
Authorities searched the defendant’s residences in Ivanofrankivsk and Lviv and authorized the seizure of digital storage devices and cryptocurrency assets.
Black Basta first appeared in the threat world in April 2022 and is said to have targeted over 500 businesses across North America, Europe, and Australia. The ransomware group is estimated to have earned hundreds of millions of dollars in crypto through illegal payments.
Early last year, a year’s worth of internal chat logs from Black Basta were leaked online, offering a glimpse into the group’s inner workings, its structure and key members, and the various security vulnerabilities that were exploited to gain initial access to targeted organizations.
The leaked documents also revealed that Nefedov is the ringleader of Black Busta, adding that he uses various aliases, including Trump, Trump, GG, and AA. Some documents claim that Mr. Nefedov has ties to senior Russian politicians and intelligence agencies such as the FSB and GRU.
Nefedov is believed to have used these connections to protect his business and evade international justice. Subsequent Trellix analysis revealed that Nefedov was able to secure his freedom despite being arrested in Yerevan, Armenia in June 2024. His other aliases include Kuruba, Washington, and S. Jimi. Nefedov is said to be in Russia, but his exact whereabouts are unknown.
There is also evidence linking Nefedov to Conti, a now-defunct group that was created in 2020 as Ryuk’s successor. In August 2022, the U.S. Department of State announced a $10 million reward for information about five individuals associated with the Conti ransomware group. They included Target, Trump, Dandis, Professor, and Resyaev.
It is worth mentioning here that after the Conti brand was discontinued in 2022, Black Basta emerged as an autonomous group alongside BlackByte and KaraKurt. Other members joined groups such as BlackCat, Hive, AvosLocker, and HelloKitty, all of which are now defunct.
Germany’s Federal Criminal Police Office (BKA, Bundcriminalamt) said: “He served as the head of the group. As such, he decided who or which organization would be the target of the attack, recruited members, assigned tasks, participated in ransom negotiations, and controlled the ransom money obtained through extortion and used it to pay members of the group.”
The breach led to the apparent demise of Black Basta, with the group remaining silent since February and removing the data breach later that month. However, ransomware gangs have been known to go dormant, rebrand, and reemerge under different identities, so it would not be surprising if members of former criminal organizations pivoted to other ransomware groups or formed new ransomware groups.
In fact, several former Black Basta affiliates are suspected to have transitioned into CACTUS ransomware operations, according to reports from ReliaQuest and Trend Micro. This assessment is based on the fact that the Black Basta site went offline in February 2025, which coincided with a massive spike in the number of organizations named on the latter’s data breach site.
Source link
