Full Report
A Ukrainian national pleaded guilty today to one count of conspiracy to commit computer fraud for his role in a series of international ransomware attacks. According to court documents, Artem Aleksandrovych Stryzhak, 35, of Barcelona, Spain, conspired with others to deploy the Nefilim ransomware against victim computer networks in the United States and other countries,... Source
Analysis Summary
# Incident Report: Nefilim Ransomware Conspiracy & Guilty Plea
## Executive Summary
This report summarizes the activities of Artem Aleksandrovych Stryzhak, a Ukrainian national, who pleaded guilty to conspiracy to commit computer fraud for his role in deploying the Nefilim ransomware against international victim networks. Stryzhak gained access to the ransomware platform in mid-2021 and specifically targeted large companies in the US, Canada, and Australia, utilizing data exfiltration threats as part of the double extortion scheme. The operational details focus on the conspiracy structure and the legal repercussions leading to his arrest and subsequent guilty plea.
## Incident Details
- Discovery Date: Ongoing investigation (Plea entered December 20, 2025, based on context date)
- Incident Date: Ongoing attacks commencing around July 2021
- Affected Organization: Multiple victim computer networks in the United States, Canada, and other countries (Specific victims not disclosed in the summary)
- Sector: Undisclosed/Varied (Targeted organizations with annual revenues >$100M, later >$200M)
- Geography: Attacks originated from a conspiracy involving individuals in Ukraine and Barcelona, Spain (Stryzhak's location), targeting victims primarily in the US, Canada, and Australia.
## Timeline of Events
### Initial Access
- **Date/Time:** Post-June 2021 (Stryzhak gained access to the Nefilim code/platform)
- **Vector:** Gaining affiliate/operator access through the Nefilim ransomware platform ("panel").
- **Details:** Stryzhak negotiated with Nefilim administrators, securing access in exchange for 20% of his ransom proceeds. He inquired about using alternative usernames for opsec ("in case the panel gets hacked into by the feds").
### Lateral Movement
- **Date/Time:** On or about July 2021, following initial network access.
- **Vector:** Unauthorized access to victim networks.
- **Details:** Stryzhak and co-conspirators researched potential victims using online databases to confirm company size and contact information *after* gaining unauthorized access, indicating post-access reconnaissance for targeting prioritization.
### Data Exfiltration/Impact
- **Date/Time:** Ongoing during the compromise period.
- **Impact:** Files locked by Nefilim ransomware; deployment of double extortion methodology.
- **Details:** Attackers threatened to publish stolen data on publicly accessible "Corporate Leaks" websites maintained by Nefilim administrators if ransoms were not paid.
### Detection & Response
- **Date/Time:** Arrest occurred in June 2024; Extradition to the US on April 30 (Year not specified, but prior to the Dec 2025 report date).
- **Response actions taken:** International law enforcement coordination (FBI, Spanish authorities) leading to Stryzhak's arrest in Spain and subsequent extradition to the U.S. Stryzhak pleaded guilty to conspiracy in December 2025.
## Attack Methodology
*Note: Specific technical details beyond the ransomware deployment are inferred from standard ransomware group practices.*
- **Initial Access:** Acquiring affiliate status on the Nefilim Ransomware-as-a-Service (RaaS) platform.
- **Persistence:** Not explicitly detailed, but implied through the continued operation of the ransomware executable.
- **Privilege Escalation:** Not explicitly detailed.
- **Defense Evasion:** Not explicitly detailed. Stryzhak expressed concern about operational security (opsec) via the panel.
- **Credential Access:** Not explicitly detailed.
- **Discovery:** Internal reconnaissance conducted post-breach using online databases to confirm victim financial metrics before targeting.
- **Lateral Movement:** Implied mechanism to move within the network to deploy the final payload.
- **Collection:** Data was stolen prior to encryption for use in the double-extortion tactic.
- **Exfiltration:** Data was prepared for publication on "Corporate Leaks" sites if payment demands were unmet.
- **Impact:** Encryption of victim computer networks using unique, tailored Nefilim ransomware executables.
## Impact Assessment
- **Financial:** Significant damage to victim computer systems (unquantified). Stryzhak forfeited 20% of proceeds to Nefilim operators.
- **Data Breach:** Sensitive data stolen and threatened with public release (Double Extortion).
- **Operational:** Disruption to victim computer systems due to encryption.
- **Reputational:** Implied damage due to publicized data leaks if ransoms failed.
## Indicators of Compromise
*Due to the nature of the provided text focusing on legal action rather than technical artifacts, specific IOCs (IPs, hashes) are unavailable.*
- **Network indicators:** Not available.
- **File indicators:** Nefilim ransomware executables (unique per victim).
- **Behavioral indicators:** Use of the Nefilim online operations "panel". Targeting protocol based on $100M+ or $200M+ annual revenue.
## Response Actions
*Response actions described focus on law enforcement/legal actions, not organizational IR:*
- **Containment measures:** Not applicable (Law enforcement action focuses on takedown).
- **Eradication steps:** Stryzhak’s participation in the criminal enterprise was halted via arrest and prosecution.
- **Recovery actions:** Victims would have utilized unique decryption keys provided upon payment (when applicable) or relied on backups/rebuilds.
## Lessons Learned
- **Conspiracy and RaaS Models:** International criminal operations rely heavily on affiliate models (RaaS) to scale attacks globally.
- **Targeting Sophistication:** Threat actors actively profile victims based on financial metrics ($100M+/ $200M+ revenue) to maximize their leverage during extortion.
- **Double Extortion Persistence:** The threat of public data leaks remains a core component of ransomware negotiations.
## Recommendations
- **Enhanced Network Segmentation:** Limit the blast radius upon successful initial access by ransomware affiliates.
- **Due Diligence on Ransomware Payments:** Recognize that even with payment, data may still be exposed if the RaaS operators fail to secure cleanup (as threatened).
- **Strengthen Digital Defenses:** Proactive threat hunting and monitoring are essential, especially given the sophisticated profiling performed by threat actors researching potential targets post-breach.