Full Report
Ukrainian and German law enforcement authorities have identified two Ukrainians suspected of working for the Russia-linked ransomware-as-a-service (RaaS) group Black Basta. In addition, the group's alleged leader, a 35-year-old Russian national named Oleg Evgenievich Nefedov (Нефедов Олег Евгеньевич), has been added to the European Union's Most Wanted and INTERPOL's Red Notice lists, authorities
Analysis Summary
# Threat Actor: Black Basta RaaS Group (Leader: Oleg Evgenievich Nefedov)
## Attribution & Identity
* **Primary Actor Group:** Black Basta (Ransomware-as-a-Service group).
* **Alleged Leader:** Oleg Evgenievich Nefedov (Нефедов Олег Евгеньевич), a 35-year-old Russian national. Listed on EU's Most Wanted and INTERPOL's Red Notice.
* **Known Aliases (Nefedov):** Tramp, Trump, GG, AA, kurva, Washingt0n, S.Jimmi.
* **Associated Groups/Lineage:** Linked to the defunct Conti group (which succeeded Ryuk). Black Basta emerged in 2022 after Conti retired, alongside BlackByte and KaraKurt. Nefedov was previously associated with Conti members targeted by a US State Department reward (Target, Tramp, Dandis, Professor, Reshaev).
* **Suspected Affiliated Personnel:** Two Ukrainians identified by law enforcement, suspected of working for the group, specializing in penetration and credential cracking.
* **Alleged State Connections:** Documents suggest Nefedov has ties to high-ranking Russian politicians and intelligence agencies, specifically the FSB and GRU, used for operational protection.
## Activity Summary
* **Recent Law Enforcement Action:** Ukrainian and German law enforcement identified two Ukrainian suspects involved in technical hacking and credential extraction for Black Basta. Searches were conducted in Ivano-Frankivsk and Lviv, seizing digital storage devices and cryptocurrency.
* **Historical Campaigns:** Black Basta emerged in April 2022. It is estimated to have targeted over 500 companies globally.
* **Financial Impact:** Estimated earnings of hundreds of millions of dollars in cryptocurrency from illicit payments.
## Tactics, Techniques & Procedures
* **Initial Access/Infiltration:** Gaining initial access to organizations of interest (methods detailed in leaked chats).
* **Gaining Persistence/Privilege:** Utilizing technical hacking methods to compromise protected systems.
* **Credential Cracking:** Suspects within the network functioned as "hash crackers," specializing in extracting passwords from systems using specialized software.
* **Deployment and Extortion:** Breaking into corporate networks followed by ransomware deployment and extortion demands.
* **Evasion:** Nefedov leveraged alleged connections to bypass arrest after being detained in Yerevan, Armenia, in June 2024.
* - [No specific MITRE ATT&CK IDs present in the text]
## Targeting
* **Sectors:** Not explicitly detailed, but implied targeting of large **companies** across multiple jurisdictions.
* **Geography:** North America, Europe, and Australia.
* **Victims:** Over 500 companies targeted since April 2022.
## Tools & Infrastructure
* **Malware Families Used:** Black Basta Ransomware.
* **Infrastructure (C2, domains, IPs):** No specific C2 infrastructure, domains, or IPs were mentioned in the summary text.
## Implications
The identification and international listing of the alleged leader (Nefedov) signal a significant escalation in international enforcement efforts against major RaaS operations linked to Russian threat actors. The confirmed lineage from Conti suggests a well-established and resilient criminal ecosystem. The exploitation of specialized roles (like hash crackers) indicates structured internal organization.
## Mitigations
* **Credential Security:** Implement robust measures against credential harvesting and cracking (e.g., MFA, strong password policies, monitoring for unusual extraction attempts).
* **Network Segmentation and Access Control:** Limit the blast radius of any successful intrusion to prevent the deployment of ransomware across corporate networks.
* **Monitoring for Anomalous Activity:** Enhance monitoring for post-compromise activity associated with known Conti/Black Basta TTPs, particularly focused on lateral movement and privilege escalation preceding ransomware deployment.