Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Black Basta Ransomware. Show all posts
Ransomware
AI Black Basta Black Basta Ransomware Cloud Cyber Crime Data Ransomware

Federal Agencies Worldwide Hunt for Black Basta Ransomware Leader


International operation to catch Ransomware leader 

International law enforcement agencies have increased their search for individuals linked to the Black Basta ransomware campaign. Agencies confirmed that the suspected leader of the Russia-based Ransomware-as-a-service (RaaS) group has been put in the EU’s and Interpol’s Most Wanted list and Red Notice respectively. German and Ukrainian officials have found two more suspects working from Ukraine. 

As per the notice, German Federal Criminal Police (BKA) and Ukrainian National Police collaborated to find members of a global hacking group linked with Russia. 

About the operation 

The agencies found two Ukrainians who had specific roles in the criminal structure of Black Basta Ransomware. Officials named the gang’s alleged organizer as Oleg Evgenievich Nefedov from Russia. He is wanted internationally. German law enforcement agencies are after him because of “extortion in an especially serious case, formation and leadership of a criminal organization, and other criminal offenses.”

According to German prosecutors, Nefedov was the ringleader and primary decision-maker of the group that created and oversaw the Black Basta ransomware. under several aliases, such as tramp, tr, AA, Kurva, Washingt0n, and S.Jimmi. He is thought to have created and established the malware known as Black Basta. 

The Ukrainian National Police described how the German BKA collaborated with domestic cyber police officers and investigators from the Main Investigative Department, guided by the Office of the Prosecutor General's Cyber Department, to interfere with the group's operations.

The suspects

Two individuals operating in Ukraine were found to be carrying out technical tasks necessary for ransomware attacks as part of the international investigation. Investigators claim that these people were experts at creating ransomware campaigns and breaking into secured systems. They used specialized software to extract passwords from business computer systems, operating as so-called "hash crackers." 

Following the acquisition of employee credentials, the suspects allegedly increased their control over corporate environments, raised the privileges of hacked accounts, and gained unauthorized access to internal company networks.

Authorities claimed that after gaining access, malware intended to encrypt files was installed, sensitive data was stolen, and vital systems were compromised. The suspects' homes in the Ivano-Frankivsk and Lviv regions were searched with permission from the court. Digital storage devices and cryptocurrency assets were among the evidence of illicit activity that police confiscated during these operations.

Read more »
EU
Black Basta Black Basta Ransomware Black Basta Ransomware gang Cyber Security Cyber Security Ransomware Attacks cybercrime group EU

European Authorities Identify Black Basta Suspects as Ransomware Group Collapses

 

Two Ukrainians are now under suspicion of aiding Black Basta, a ransomware network tied to Russia, after joint work by police units in Ukraine and Germany - this step adds pressure on the hacking group’s operations. The man believed to lead the gang, Oleg Evgenievich Nefedov, aged thirty-five and holding Russian citizenship, appears on key global alerts: one issued by the EU, another by INTERPOL. Though named, he remains at large. 

A Ukrainian cybercrime unit identified two people who handled technical tasks for a ransomware network, focusing on breaking into secured systems. These individuals worked by uncovering encrypted passwords through dedicated tools. Their job was to unlock access codes so others could move deeper. With those login details, associates entered company servers without permission. They installed malicious encryption programs afterward. Victims then faced demands for money before files would be released. 

Finding hidden data drives inside apartments across Ivano-Frankivsk and Lviv opened a path toward tracking illegal transactions. Though police stayed silent on custody details, they emphasized digital trails now feed directly into active probes. 

Emerging in April 2022, Black Basta quickly rose as a leading ransomware force worldwide. Over 500 businesses in North America, Europe, and Australia faced its attacks, bringing in hundreds of millions through crypto ransoms. Instead of acting alone, the group used a service-based approach, pulling in partners who received profit cuts for launching assaults on their behalf. 

Early in 2025, internal chat records from Black Basta were made public, showing how the group operated and naming those involved. Nefedov emerged as the central figure behind the network; his known aliases included Tramp, Trump, GG, and AA. Evidence within the files suggested ties between him and high-level individuals in Russian politics. Links to state security bodies like the FSB and GRU appeared in some messages. 

Such affiliations might explain why legal action against him never moved forward. The disclosure offered rare insight into an otherwise hidden criminal ecosystem. A report from June 2024 noted a short detention of Nefedov in Yerevan, Armenia; authorities let him go afterward. Although listed internationally as a fugitive, where he is now has not been confirmed - evidence suggests Russia may be harboring him. 

Some researchers connect Nefedov to Conti, a well-known ransomware outfit that ended in 2022. When Conti broke apart, new groups appeared - Black Basta, BlackByte, and KaraKurt among them. Following the split, ex-Conti members moved into different ransomware efforts, though certain ones eventually stopped operating. A different analysis by Analyst1 showed Black Basta made frequent use of Media Land - an internet host blacklisted by U.S., British, and Australian governments in late 2025 due to its resistance to takedown requests. 

According to officials in Germany, Nefedov was responsible for choosing victims, bringing in new people, handling payment talks after attacks, then splitting the money taken with others involved. After the leaks, activity from Black Basta's systems stopped. Its public leak page vanished by February. 

Still, security analysts note such criminal networks frequently reappear under different names or combine forces elsewhere. Data collected by ReliaQuest together with Trend Micro points toward ex-members possibly joining CACTUS. A sharp increase in victims claimed by CACTUS emerged right when Black Basta faded.
Read more »
ransomware-as-a-service
Black Basta Ransomware Cyber Crime Cybercrime Investigation European law enforcement ransomware arrests ransomware-as-a-service

European Authorities Identify Black Basta Operatives, Add Alleged Ringleader to EU Most Wanted List

 

Law enforcement agencies in Ukraine and Germany have identified two Ukrainian nationals suspected of collaborating with the Russia-linked ransomware-as-a-service (RaaS) group known as Black Basta.

Authorities also confirmed that the group’s alleged leader, 35-year-old Russian citizen Oleg Evgenievich Nefedov (Нефедов Олег Евгеньевич), has been placed on both the European Union’s Most Wanted list and INTERPOL’s Red Notice database.

"According to the investigation, the suspects specialized in technical hacking of protected systems and were involved in preparing cyberattacks using ransomware," Ukraine’s Cyber Police said in an official statement.

Investigators revealed that the two suspects allegedly operated as “hash crackers,” focusing on extracting passwords from secured systems using specialized tools. Once credentials were obtained, other members of the ransomware operation infiltrated corporate networks, deployed ransomware, and demanded payment in exchange for restoring access to encrypted data.

Search operations carried out at the suspects’ homes in Ivano-Frankivsk and Lviv resulted in the seizure of digital storage devices and cryptocurrency holdings, authorities said.

Active since April 2022, Black Basta has reportedly attacked more than 500 organizations across North America, Europe, and Australia. The ransomware group is believed to have generated hundreds of millions of dollars in cryptocurrency through extortion payments.

In early 2025, a cache of internal Black Basta chat logs spanning roughly a year surfaced online. The leaked material provided rare insight into the group’s hierarchy, internal communications, key participants, and the security flaws they exploited to gain initial access to victim networks.

Those leaks identified Nefedov as the central figure behind Black Basta, noting that he operated under multiple aliases including Tramp, Trump, GG, and AA. Additional documents alleged that he maintained links with senior Russian political figures and intelligence services, including the FSB and GRU.

Investigators believe Nefedov used these alleged connections to shield his activities and avoid prosecution. Analysis by Trellix later indicated that despite being arrested in Yerevan, Armenia, in June 2024, Nefedov managed to secure his release. Other aliases attributed to him include kurva, Washingt0n, and S.Jimmi. While he is believed to be residing in Russia, his precise location remains unknown.

Further intelligence has linked Nefedov to Conti, the now-defunct ransomware group that emerged in 2020 as a successor to Ryuk. In August 2022, the U.S. State Department announced a $10 million reward for information leading to five individuals associated with Conti, including Target, Tramp, Dandis, Professor, and Reshaev.

Black Basta emerged as an independent operation following the Conti brand’s shutdown in 2022, alongside groups such as BlackByte and KaraKurt. Former Conti affiliates also dispersed to other ransomware operations including BlackCat, Hive, AvosLocker, and HelloKitty, many of which have since ceased activity.

A separate report released this week by Analyst1 highlighted Black Basta’s heavy reliance on Media Land, a bulletproof hosting provider sanctioned by the U.S., U.K., and Australia in November 2025, along with its general director Aleksandr Volosovik, also known as Yalishanda. Despite the sanctions, the group allegedly received preferential, VIP-level service.

"[Nefedov] served as the head of the group. As such, he decided who or which organisations would be the targets of attacks, recruited members, assigned them tasks, took part in ransom negotiations, managed the ransom obtained by extortion, and used it to pay the members of the group," Germany’s Federal Criminal Police Office (BKA or Bundeskriminalamt) stated.

Following the leaks, Black Basta appears to have ceased operations. The group has remained inactive since February and dismantled its data leak site later that month. However, cybersecurity experts caution that ransomware groups often dissolve only to reappear under new identities.

Reports from ReliaQuest and Trend Micro suggest that several former Black Basta affiliates may have transitioned to the CACTUS ransomware operation. This theory is supported by a sharp increase in victims listed on CACTUS’ leak site in February 2025, coinciding with Black Basta’s disappearance.
Read more »
malware
Akira Ransomware Black Basta Ransomware Credential Theft malware

Black Basta Ransomware: New Tactics and Growing Threats

 


The Black Basta ransomware group, an offshoot of the now-defunct Conti group, has adapted its attack strategies by integrating sophisticated social engineering techniques. Recent trends include email bombing, malicious QR codes, and credential theft, showcasing the group’s commitment to exploiting vulnerabilities in organizational defenses. 
 
The group begins its operations with email bombing—flooding a target's inbox with subscription-based messages from various mailing lists. This overload often leads victims to seek assistance, creating an opportunity for attackers to impersonate IT staff or support teams. Since August 2024, impersonation tactics have extended to platforms like Microsoft Teams, where attackers persuade victims to install legitimate remote access tools such as AnyDesk, TeamViewer, or Microsoft’s Quick Assist. Microsoft has identified the misuse of Quick Assist by threat actors labeled "Storm-1811." 
 
Malicious QR codes are another tool in the group’s arsenal. Victims are sent codes via chats, claiming to link trusted mobile devices. These QR codes redirect users to malicious websites, enabling attackers to harvest credentials. Cybersecurity experts have noted that attackers sometimes use OpenSSH clients to open reverse shells, providing deeper system access. 
  
Malware Delivery and Payload Objectives 
 
After gaining initial access, Black Basta deploys malicious payloads designed to escalate the attack. Key malware tools include:
  • Zbot (ZLoader): Credential-harvesting malware.
  • DarkGate: Multi-purpose malware for executing subsequent attacks.
These tools allow attackers to steal sensitive information, such as user credentials and VPN configurations, which they use to bypass multi-factor authentication (MFA) and infiltrate organizational systems. Black Basta’s proprietary tools further enhance its effectiveness:
  • KNOTWRAP: Executes payloads directly in memory, bypassing traditional detection methods.
  • KNOTROCK: Specialized utility for deploying ransomware.
  • PORTYARD: Facilitates secure connections with command-and-control servers.
Emerging Ransomware Trends 
 
Black Basta’s innovations align with broader trends in ransomware development. New groups, like Akira and Rhysida, are also leveraging advanced techniques. Akira, developed in Rust, uses pre-built libraries to enhance efficiency, while Rhysida employs tactics like fake software websites and SEO poisoning to spread malware. These trends highlight the growing sophistication of ransomware operations. 
 
 
Defensive Measures for Organizations 
 

The Black Basta group exemplifies the evolution of cybercrime, combining email bombing, impersonation, and advanced malware tools in hybrid attack models. To counter these threats, organizations must:
  • Regularly update security systems to address vulnerabilities.
  • Implement robust training programs to help employees identify social engineering tactics.
  • Strengthen multi-factor authentication and endpoint protection measures.
As cybercriminals continue to adapt, proactive defense and vigilance remain essential to safeguarding organizational systems from these evolving threats.
Read more »
ransomware prevention
Black Basta Ransomware cybercrime group attack file-encrypting malware malware Microsoft Teams malware phishing campaigns 2024 ransomware prevention

Black Basta Targets Microsoft Teams with New Ransomware Tactics

 

The Black Basta ransomware group has resurfaced with a concerning method of spreading file-encrypting malware, now targeting Microsoft Teams. The group, notorious for cyberattacks on technology, finance, and public sector industries, exploits the popular collaboration platform to infiltrate networks.

First observed in October 2024, this new tactic shows a shift from previous approaches. Active since April 2022, Black Basta initially used spam and social engineering to distribute malware. Now, they impersonate IT support staff or colleagues, tricking users into providing credentials for fake network logins, enabling the deployment of malware. This deceptive method replaces older techniques like phone-based social engineering.

Microsoft Teams is a strategic target due to its global use in corporate communication. Many employees trust messages within the platform, often overlooking verification steps. This makes them more vulnerable to attackers who exploit this trust to gain unauthorized access.

In 2023, Black Basta was connected to email phishing campaigns involving links to malicious websites. While those campaigns focused on harvesting credentials and delivering malware, the group's shift to real-time platforms like Teams indicates a significant evolution in their strategy.

Microsoft urges users to exercise caution with suspicious messages, especially those requesting sensitive information or financial transactions. "If a message in Teams appears to ask for credentials or money transfers, users are advised to verify the sender’s identity through other channels," the company recommended. Avoiding unknown links and confirming requests through phone or email are key practices to prevent such attacks.
Read more »
Ransomware attack
Ascension hacked Black Basta Ransomware Data Breach employee downloaded malicious file Healthcare cybersecurity MyChart breach Ransomware attack

Ascension Breached Due to Employee Downloading Malicious File

 

Ascension, one of the largest healthcare systems in the United States, disclosed that a ransomware attack in May 2024 was initiated when an employee mistakenly downloaded a malicious file onto a company device.

The healthcare provider indicated that the employee likely believed they were downloading a legitimate file, classifying the incident as an "honest mistake."

The ransomware attack disrupted the MyChart electronic health records system, phone lines, and systems for ordering tests, procedures, and medications. In response, Ascension took some devices offline on May 8 to address what was initially termed a "cyber security event."

As a result, staff had to record procedures and medications manually since electronic patient records were inaccessible. Ascension also temporarily halted some non-urgent elective procedures, tests, and appointments and redirected emergency medical services to other facilities to avoid delays in patient care.

As of Wednesday, Ascension reported that certain services remain affected and that efforts to restore electronic health record systems, patient portals, and phone systems, as well as test, procedure, and medication ordering systems, are ongoing.

An ongoing investigation revealed that the attackers accessed and stole files from only seven of the thousands of servers on Ascension's network.

"Currently, we have evidence showing the attackers accessed files from a limited number of servers used by our staff for daily tasks. These servers account for seven out of approximately 25,000 across our network," an Ascension spokesperson stated. "While the investigation continues, we believe some of the compromised files may contain Protected Health Information (PHI) and Personally Identifiable Information (PII), though the specific data affected varies."

However, Ascension has not found evidence that the attackers accessed data from its Electronic Health Records (EHR) and other clinical systems, which contain comprehensive patient records.

Though Ascension has not officially identified the responsible party, CNN reported that the Black Basta ransomware group is suspected to be behind the attack.

Shortly after the incident, the Health Information Sharing and Analysis Center (Health-ISAC) issued a warning that Black Basta had intensified its attacks on the healthcare sector.

Since its emergence in April 2022, Black Basta has targeted numerous high-profile organizations, including Rheinmetall, Capita, ABB, and the Toronto Public Library. Research by Elliptic and Corvus Insurance indicated that the group had extorted over $100 million from more than 90 victims as of November 2023.

As a major nonprofit health network, Ascension operates 140 hospitals and 40 senior care facilities. In 2023, it reported a total revenue of $28.3 billion. The organization employs 8,500 providers, with 35,000 affiliated providers and 134,000 associates across 19 states and the District of Columbia.
Read more »
Proofprint
Black Basta Ransomware Cyber Attacks CyberCrime Data Theft Email Phishing Email scam email security Hacekrs NTLM Proofprint

New Email Scam Targets NTLM Hashes in Covert Data Theft Operation

 


TA577 has been identified as a notorious threat actor who orchestrated a sophisticated phishing campaign, according to researchers at security firm Proofpoint. Currently, the group is utilizing a new method of phishing involving ZIP archive attachments. This tactic is geared towards pilfering the hash data of NT LAN Manager (NTLM) users.

According to our investigation, this group is utilizing a chain of attacks aimed at stealing authentication information from the NT LAN Manager (NTLM) system. It would be possible to exploit this method for obtaining sensitive data and facilitating further malicious activity if this method were to be exploited. 

By using booby-trapped email attachments containing booby-trapped NTLM hashes to steal employees' NTLM hashes, a threat actor that is known for establishing initial access to organizations' computer systems and networks is using these attachments to steal employees’ hashes. Earlier this week, enterprise security firm Proofpoint published a report that suggested that the new attack chain "is capable of gathering sensitive information and facilitating follow-on activities." 

As reported by the company, at least two phishing campaigns have utilized this approach since February 26, 2024, when thousands of messages were distributed worldwide and hundreds of organizations were targeted. As an initial access broker (IAB), TA577 has previously been associated with Qbot and has been linked to Black Basta ransomware infections. 

The phishing waves spread thousands of messages around the world and targeted hundreds of organizations. The email security company Proofpoint reported today that although it has seen TA577 favouring Pikabot deployment in recent months, two recent attacks indicate that TA577 has taken a different approach to the attack. 

A group called TA578, which has been linked with the Qbot malware campaign and the Black Basta ransomware campaign, is one of the first access brokers. Recently, it has demonstrated an increasing interest in exploiting authentication protocols despite its previous inclination toward deploying Pikabot malware. 

NTLM hashes are a cornerstone of the security of Windows systems for authentication and session management. Attackers are extremely interested in these hashes as they are potentially useful in offline password cracking and in pass-the-hash attacks, which do not require actual passwords to gain access to services but instead use hashes as shortcuts. 

A technique known as thread hijacking, by which the attackers craft phishing emails that seem like legitimate follow-up emails to ongoing conversations, is used by the attackers. There is a malicious external server that is used to capture NTLM hashes, as these emails contain personalized ZIP files with HTML documents. When opened, these malicious servers start connecting to a malicious external server that has been set up specifically to capture these hashes. 

TA577 likely has the resources, time, and experience to iterate and test new delivery methods at the rate at which it adopts and distributes new tactics, techniques, and procedures (TTPs). TA577, along with other IABs, seems to be on top of the threat landscape and understands when and why certain attack chains cease to be effective. 

To increase the effectiveness and likelihood of victim engagement with their payload delivery and bypass detections, they will be able to create new methods to bypass detections and make use of them as quickly as possible. Researchers at Proofpoint have also noticed an increase in the use of file scheme URIs to direct recipients to external file shares such as SMB and WebDAV for the delivery of malware. To prevent exploits identified in this campaign, organizations should block outbound SMBs to prevent these sophisticated attacks. 

While restricting guest access to SMB servers is a simple security measure, it falls short of preventing these sophisticated attacks. The company advises that strict email filtering be implemented, outbound SMB connections should not be allowed, and Windows group policies should be activated to minimize the risk. 

To combat these types of NTLM-based threats effectively, Microsoft has introduced advanced security features into Windows 11 to help users. It is important to maintain constant vigilance and take strong security measures to prevent phishing attacks targeting the NTLM authentication protocol. For organizations to remain safe from sophisticated cybercriminal endeavours, they must stay abreast of emerging threats and adjust their defences to keep up with the rapidly evolving threats.
Read more »
Willis Lease Finance
Black Basta Ransomware Cyber Security Cybersecurity Incident Data Breach Jet engines major airlines SEC filing unauthorized activity Willis Lease Finance

Dealers of Jet Engines to Major Airlines Reveals 'Unauthorized Activity'

 

The Willis Lease Finance Corporation has disclosed to US regulators that it was targeted in a "cybersecurity incident," with data allegedly taken from the company being shared on the Black Basta ransomware group's leak blog.

In a filing submitted to the Securities and Exchange Commission (SEC) on February 9, the publicly listed company on NASDAQ stated that it became aware of a potential breach on January 31, prompting immediate action to address the situation.

According to the filing, the company initiated an investigation into the incident with the help of leading cybersecurity experts, taking measures to contain and address the activity, including temporarily shutting down certain systems. The company reported no unauthorized activity after February 2, 2024, and believes it has successfully contained the breach.

During the period when systems were offline, the company acknowledged resorting to alternative methods to maintain operations and serve customers, although specific details were not provided.

Willis Lease Finance also stated it is still evaluating the extent of the breach and whether any data was compromised. Law enforcement has been notified about the breach.

Although the company refrained from explicitly mentioning "ransomware" or "attack" in its disclosure, the presence of passport scans on Black Basta's website suggests that the investigation into potential data theft may yield results soon.

The ransomware group claims to have obtained 910 GB of company data, including information about customers, employees, HR records, non-disclosure agreements (NDAs), among others. Black Basta published a selection of documents online, including screenshots of accessed files, HR documents containing social security numbers, and identity documents such as passports.

Attempts to match names on these documents with online profiles revealed matches predominantly in the US and UK, along with some from other countries.

Efforts to reach Willis Lease Finance for comment were unsuccessful at the time of reporting.

Established for over 45 years, Willis Lease Finance describes itself as a leading independent provider of jet engines to major airlines worldwide.

Black Basta, known for its high-profile ransomware attacks, is linked to the now-defunct Conti group and is believed to have amassed over $100 million from its victims, including major organizations like Capita and Southern Water in the UK.
Read more »
Subscribe to: Comments (Atom)