The identity of the Black Basta ransomware gang leader has been confirmed by law enforcement in Ukraine and Germany, and the individual has been added to the wanted list of Europol and Interpol.
Germany’s Federal Criminal Police Office (BKA) identified Oleg Evgenievich Nefedov, a 35-year-old Russian national, as the leader of the Black Basta ransomware gang.
The Ukrainian police in collaboration with German authorities also identified two additional individuals allegedly working for the ransomware operation and conducted raids at two locations in the Ivano-Frankivsk and Lviv regions.
The police say that the two suspects specialized in gaining initial access to target networks and prepared the ground for the subsequent phases of the ransomware attack.
“According to investigators, the suspects specialized in technically breaching protected systems and were involved in preparing ransomware-based cyberattacks,” Ukraine’s cyberpolice said.
“The attackers performed the functions of so-called hash crackers – individuals who specialize in extracting passwords to accounts from information systems using specialized software,” the press release explains.
After getting access credentials belonging to company employees, the suspects breached internal corporate systems and increased the privileges of the stolen accounts.
During the raids at the locations of the two suspected members of the Russian-affiliated hacker group, the Ukrainian police seized digital storage devices and cryptocurrency assets.
Source: cyberpolice.gov.ua
The Black Basta boss
Nefedov, known online under the aliases: tramp, tr, gg, kurva, AA, Washingt0n, and S.Jimmi, has been linked to the cybercriminal operation since last February, after someone leaked more than 200,000 chat messages between Black Basta members.
While Nefedov is believed to be the founder and leader of Black Basta, there is also credible evidence linking him to Conti, a now-defunct ransomware syndicate that emerged in 2020 as a successor to Ryuk.
After Conti shut down, it split into smaller cells that infiltrated other ransomware operations or took over existing ones. One of the new operations was Black Basta, considered a rebranding of the old Conti.
Security researchers at Trellix analyzed the leaked texts and found conversations between GG and Chuck about “a $10 million reward for information on ‘tr’ (possibly ‘-amp’), potentially referring to the US bounty for five key members of the Conti gang, including the hacker Tramp.”
“In the leaked chat, GG was indeed identified as Tramp (Conti leader) by ‘bio’, (also known as ‘pumba’, another Conti member),” Trellix researchers said.
It should be mentioned that in February 2022, after Russia invaded Ukraine, a researcher leaked internal chats from the Conti operation, where Tramp was referenced as the leader.
However, authorities have officially confirmed Nefedov as the leader of the Black Basta ransomware gang and have added him to Europol’s “Most Wanted” and Interpol’s “Red Notice” lists.
The Black Basta ransomware-as-a-service (RaaS) operation emerged in April 2022 and is believed to be responsible for at least 600 ransomware incidents, data theft, and extortion targeting large organizations worldwide.
Notable victims include German defense contractor Rheinmetall, Hyundai’s European division, BT Group (formerly British Telecom), U.S. healthcare giant Ascension, government contractor ABB, the American Dental Association, U.K. tech outsourcing firm Capita, the Toronto Public Library, and Yellow Pages Canada.
BleepingComputer has contacted the Ukrainian police asking for more information about the operation, but a comment wasn’t immediately available.
Whether you’re cleaning up old keys or setting guardrails for AI-generated code, this guide helps your team build securely from the start.
Get the cheat sheet and take the guesswork out of secrets management.