Two individuals suspected of involvement with the Russia-linked ransomware group Black Basta have been identified by Ukrainian and German law enforcement authorities.
Additionally, Oleg Evgenievich Nefedov, a 35-year-old Russian national believed to be the leader of the group, has been added to the European Union’s Most Wanted and INTERPOL’s Red Notice lists.
According to Cyber Police of Ukraine, the suspects were skilled in technical hacking of protected systems and played a role in preparing cyberattacks using ransomware.
The accused individuals operated as “hash crackers,” specializing in extracting passwords from information systems using specialized software. Once they obtained credential information, the ransomware group members infiltrated corporate networks to deploy ransomware and extort money for decrypting the data.
Authorities executed searches at the homes of the defendants in Ivano-Frankivsk and Lviv, seizing digital storage devices and cryptocurrency assets.
Black Basta made its debut in the threat landscape in April 2022, targeting over 500 companies in North America, Europe, and Australia. The group is estimated to have amassed hundreds of millions of dollars in cryptocurrency through illicit payments.
In early 2021, internal chat logs from Black Basta were leaked, revealing insights into the group’s operations, leadership, and tactics used to breach organizations. The leaked information identified Nefedov as the leader of Black Basta, known by aliases such as Tramp, Trump, GG, and AA. Some documents suggested Nefedov’s connections to high-ranking Russian political figures and intelligence agencies.
Nefedov allegedly used these connections to shield his activities and evade international law enforcement. Despite being arrested in Yerevan, Armenia, in June 2024, Nefedov managed to avoid legal consequences and remains at large, with aliases including kurva, Washingt0n, and S.Jimmi.
Moreover, evidence links Nefedov to Conti, a group that emerged in 2020 as a successor to Ryuk. In August 2022, the U.S. State Department offered a $10 million reward for information on individuals associated with the Conti ransomware group.
Black Basta, along with BlackByte and KaraKurt, emerged as independent entities following the dissolution of the Conti brand in 2022. Former members may have transitioned to other ransomware groups like CACTUS, as indicated by an increase in organizations named on CACTUS’s data leak site coinciding with Black Basta’s disappearance.
Germany’s Federal Criminal Police Office stated that Nefedov served as the head of Black Basta, overseeing target selection, member recruitment, task assignments, ransom negotiations, and fund management within the group.
Following the leaks, Black Basta ceased its activities, removing its data leak site in February. However, given the tendency of ransomware groups to rebrand and resurface, former members of Black Basta may join new ransomware operations or form new groups in the future.
Reports suggest that former Black Basta affiliates may have transitioned to CACTUS ransomware, evidenced by a surge in organizations listed on CACTUS’s data leak site around the time of Black Basta’s closure.
