Ukraine–Germany operation targets Black Basta, Russian leader wanted

Police in Ukraine and Germany identified Black Basta suspects and issued an international wanted notice for the group’s alleged Russian leader.

Ukrainian and German police raided homes linked to alleged Black Basta ransomware members, identifying two Ukrainian suspects. Law enforcement also issued an international wanted notice for the group’s alleged Russian ringleader.

“The Office of the Prosecutor General, in close cooperation with the competent authorities of the Federal Republic of Germany, has uncovered two citizens of Ukraine who were part of the international cybercriminal group Black Basta.” reads the press release published by the Ukrainian Office of the Prosecutor General. “As part of international cooperation, law enforcement agencies from Ukraine and Germany conducted searches at the residences and activities of two citizens of Ukraine who were responsible for hacking hash files. The access data obtained in this way was used for further dissemination of malicious software in the networks of the victims. During the searches, mobile phones, computer equipment, and handwritten notes were seized. The analysis of the seized materials is ongoing.”

Black Basta ransomware-as-a-service (RaaS) has been active since April 2022, it impacted several businesses and critical infrastructure entities across North America, Europe, and Australia. The cybercrime group has impacted over 500 organizations worldwide, causing hundreds of millions of dollars in damage. Two suspects in western Ukraine allegedly worked as “hash crackers,” stealing and recovering passwords to enable network intrusions, data theft, and ransomware deployment.

Police seized digital devices and cryptocurrency during raids, and analysis of the evidence is ongoing.

“As part of the documented activities of the group, a series of cyberattacks have been recorded, resulting in over 100 companies in Germany and about 700 companies worldwide experiencing prolonged disruptions to their operations.” continues the press release. “Among the victims are hospitals, public institutions, and government authorities. According to available data, the damages in Germany alone exceed 20 million euros.”

In December 2023, Elliptic and Corvus Insurance published a joint research that revealed the group accumulated at least $107 million in Bitcoin ransom payments since early 2022. According to the experts, the ransomware gang has infected over 329 victims, including ABB, Capita, Dish Network, and Rheinmetall. 

The researchers analyzed blockchain transactions, they discovered a clear link between Black Basta and the Conti Group.

Germany’s Federal Criminal Police Office identified Russian national Oleg Nefedov as the alleged leader of the Black Basta ransomware group. Authorities accuse him of forming a criminal organization abroad, large-scale extortion, and cybercrime. Investigators say he chose targets, recruited members, coordinated attacks, negotiated ransoms, and distributed cryptocurrency proceeds. Operating under multiple online aliases, Nefedov may also have links to the Conti ransomware group. Believed to be in Russia, he is now on Interpol’s international wanted list.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Black Basta ransomware)