Full Report
German cops have added Russian national Oleg Evgenievich Nefekov to their list of most-wanted criminals for his services to ransomware. Nefekov, 35, is accused of spearheading the Black Basta ransomware operation, which suffered a similar fate as Conti last year – ceasing activity after a major internal leak. His name and face also now appear on the EU's most-wanted list after German authorities issued an appeal for information leading to his capture on Thursday. Active since 2022, Black Basta was the group that filled the LockBit-shaped void in the ransomware scene after the former juggernaut's downfall in 2024. It quickly became the leading group thereafter and attacked around 700 organizations worldwide, according to Germany's federal police (BKA).
Analysis Summary
# Threat Actor: Oleg Evgenievich Nefekov
## Attribution & Identity
* **Primary Identity:** Oleg Evgenievich Nefekov (Age 35).
* **Attribution:** Russian national.
* **Role:** Accused of being the "founder and ringleader" of the Black Basta ransomware operation. Held the position of "managing director" within the group, responsible for setting attack targets, recruitment, task assignment, ransom negotiations, and managing/distributing proceeds.
* **Known Aliases:** tramp, tr, gg, AA, kurva, Washingt0n, S.Jimmi. (Note: The name appeared as 'Nefedov' in associated leaks).
* **Associated Groups:** Black Basta (spearheaded and led). Previously associated with Conti leaks/network context.
## Activity Summary
* **Active Period:** Since 2022.
* **Campaigns/Operations:** Spearheaded the Black Basta ransomware operation. Black Basta aggressively filled the void left by LockBit's downfall in 2024, quickly becoming a leading ransomware group.
* **Collapse Context:** Black Basta ceased activity after suffering a major internal leak.
* **Scope:** Attacked approximately 700 organizations worldwide. Authorities estimate the group generated significant undisclosed sums by the end of 2023.
* **Current Status:** Placed on Germany's most-wanted list and the EU's most-wanted list following an appeal for information leading to his capture. Believed to be residing in Russia. Authorities are seeking information on his current whereabouts, travel, and online communication channels.
## Tactics, Techniques & Procedures
* **Core Operation:** Supported the ongoing use of 'Black Basta' ransomware and other malware to infiltrate foreign computer systems.
* **Impact Methods:** Data theft and system encryption to demand ransom.
* **Financial Handling:** Managed ransomware proceeds and used them to pay group members.
* **Command & Control:** Delegated responsibility for the execution of attacks by affiliates but managed oversight.
* **Note:** Specific technical TTPs (e.g., specific malware variants or entry vectors beyond "other malware") are not detailed in this summary, only the high-level operational role in using the ransomware.
* **MITRE ATT&CK IDs:** None explicitly mentioned in the source text.
## Targeting
* **Sectors:** Not specified beyond the general description of targeting organizations.
* **Geography:** Worldwide.
* **Victims:** Attacked around 700 organizations worldwide.
## Tools & Infrastructure
* **Malware Families Used:** Black Basta ransomware and "other malware."
* **Infrastructure (C2, domains, IPs):** None mentioned or defanged in the source text. Note that payment demands were for **cryptocurrencies**.
## Implications
Nefekov represents a high-value target for law enforcement due to his alleged role as the founder and chief executive of a major, successful Ransomware-as-a-Service (RaaS) operation that dominated the landscape after 2024. His continued freedom in Russia, juxtaposed with recent reports of him escaping custody abroad in 2024 (allegedly with Russian state assistance), highlights the challenges in prosecuting major transnational cybercriminals. The breakdown of Black Basta due to internal leaks suggests potential internal instability within related threat ecosystems.
## Mitigations
* **General Law Enforcement Focus:** Authorities require actionable human intelligence regarding his location, travel, and online communication methods.
* **Source Protection:** Authorities are promising anonymity to individuals providing information.
* **Cyber Resilience:** Organizations should note Black Basta's rapid ascent to dominance, emphasizing the need for robust defenses against leading ransomware groups.