The alleged leader of the infamous Black Basta hacking group, which has been responsible for at least 525 ransomware attacks since it formed in 2022, has been added to the European Union’s Most Wanted list, as well as to Interpol’s Red Notice list.
The 35-year-old Russian national, Oleg Evgenievich Nefedov, is suspected of founding and directing the operations of the group, “thereby making a significant contribution to carrying out global cyber attacks”, according to German law enforcement authorities.
“Within the group, he held the position of managing director. In this role, he decided on attack targets, recruited employees, assigned them tasks, participated in ransom negotiations, managed the proceeds from the ransom payments, and used them to pay the group members,” Germany’s Federal Criminal Police Office said in a 15 January update.
“Thus, the wanted individual, as ringleader, supported the ongoing use of the ‘Black Basta’ ransomware and other malware, through which the group infiltrated foreign computer systems, stole data and encrypted systems in order to demand a ransom, payable in cryptocurrencies, for decryption.”
Nefedov is also thought to have been involved in the now-defunct Conti ransomware group.
Additionally, Ukrainian and German authorities have identified two further members of the group, who operated inside Ukraine and specialised in “technical hacking of protected systems”.
“The attackers performed the functions of so-called hash crackers – individuals who specialise in extracting passwords to accounts from information systems using specialised software,” Ukrainian authorities said.
“After obtaining the authorisation data of company employees, the group members gained unauthorised access to the internal systems of the companies and expanded the powers of compromised accounts in corporate networks.”
The suspects’ residences were searched, with multiple digital devices seized alongside cryptocurrency assets.
The Australian connection
Blackbasta – also known as Black Basta – has been quiet in Australia of late, but caused a stir in February of 2024 when it claimed Australian firm Zirco Data as a victim on its darknet leak site. At the time, the hackers claimed to have 395 gigabytes of data, including financial documents, personal user folders, and confidentiality agreements.
However, it was later revealed that several of Zirco Data’s clients, including Monash Health and the Department of Home Affairs, were affected.
A month later, Blackbasta listed more than a dozen Australian companies as part of a larger data leak of over 700 gigabytes. Advanced Catering Systems, Australian Textile Mills, Aus Weave, The Local Bar, Optimum Health Services, and Wilson Fabrics were all implicated in the leak, which was linked to a Blackbasta attack on a local cloud hosting service.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.