A small group of former Black Basta affiliates have targeted more than 100 employees across dozens of organizations to intrude network systems for potential data theft, ransomware deployment and extortion, according to ReliaQuest.

The social engineering campaign, which involves mass email bombing and Microsoft Teams help desk impersonation, surged last month and dates back to at least May 2025, ReliaQuest said in a report Tuesday. 

Attackers have primarily targeted senior leadership to gain highly privileged access. “Roughly three-quarters of targeted users were executives, directors, managers or similarly high-value roles,” researchers who worked on the report told CyberScoop via email. 

Cybercriminals involved in Black Basta, an offshoot of Conti, scattered after the threat group’s internal chat logs leaked online in February 2025, providing threat researchers and authorities key details about the group’s operations. 

German police publicly identified Oleg Evgenievich Nefedov, a Russian national, as Black Basta’s alleged leader in January. Nefedov, a 35-year-old who was subsequently added to the most-wanted lists of Europol and Interpol, allegedly formed and ran Black Basta since 2022, authorities said. 

He is accused of extorting more than 100 companies in Germany and about 600 other countries globally.

ReliaQuest said the recently observed campaign shares many similarities with previous Black Basta activity and follows the same playbook — tooling, targeting and execution style — associated with the once-prolific ransomware group. 

“That includes the repeated use of remote access tools, a strong concentration in sectors Black Basta historically favored, and a level of speed and coordination that suggests experienced operators are building on a playbook they already know works,” researchers said. 

“We’re careful not to treat any one artifact as definitive proof, but taken together, the similarities are strong enough that we assess it is highly likely former affiliates or closely aligned operators are involved,” ReliaQuest researchers added. 

Black Basta’s data leak site was shut down shortly after its internal chats were leaked last year, but uncaptured cybercriminals typically scatter and join new groups in the wake of a takedown or disbandment. Threat hunters warned that former members were still actively targeting additional victims earlier this year. 

ReliaQuest released its report, including indicators of compromise, after it observed a particularly sharp spike in activity in March, noting that the group’s targeting was more focused on senior employees.

“The operators are moving very quickly, with parts of the workflow becoming more automated or highly streamlined, which makes the campaign easier to scale and harder for defenders to interrupt before remote access is established,” researchers said.

The top-five sectors targeted in recent Black Basta-style attacks include manufacturing, professional services, finance and insurance, construction and technology, according to ReliaQuest.

Attackers typically bombard targeted employees with hundreds of emails within minutes and then contact targeted users, posing at IT support via direct messages on Microsoft Teams or a phone call. ReliaQuest said it’s observed some attackers achieve remote access minutes after the first sign of an email bomb.

Researchers did not say how many organizations have been successfully intruded as a result of this campaign thus far. 

While extortion appears to be the most likely objective, ReliaQuest cautioned against assuming every attack results in ransomware encryption.

“Based on what we’ve observed, the intrusion chain is built to gain access quickly, understand the environment, and create options for follow-on monetization,” researchers said. “That could lead to data theft, extortion without encryption, or ransomware deployment, depending on the victim and the opportunity.”

The post Black Basta’s playbook lives on as former affiliates launch fast-scale intrusion campaign appeared first on CyberScoop.

Law enforcement agencies from multiple European countries are still pursuing leads on people involved in the Black Basta ransomware group, nearly a year after the group’s internal chat logs were leaked, exposing key details about its operations, and at least six months since the group claimed responsibility for new attacks.

Officials in Ukraine and Germany said they raided the homes of two Russian nationals accused of participating in Black Basta’s crimes and effectively halted their operations. The pair of alleged criminals who were living in Ukraine were not named.

German police publicly identified a third Russian national — Oleg Evgenievich Nefedov — as Black Basta’s alleged leader. Nefedov, a 35-year-old who was subsequently added to the most-wanted lists of Europol and Interpol, allegedly formed and ran Black Basta since 2022, authorities said. 

He is accused of extorting more than 100 companies in Germany and about 600 other countries globally. Nefedov’s current whereabouts are unknown, but he is believed to be living in Russia.

Authorities said Nefedov may have previously been involved with the Conti ransomware group, which disbanded in 2022 after its internal messages were also leaked. Members of the Russian-language ransomware collective rebranded under three subgroups: Zeon, Black Basta and Quantum, which quickly rebranded to Royal before rebranding again to BlackSuit in 2024. 

Police said they seized data and cryptocurrency assets during their searches of the alleged Black Basta participants’ residences in Ivano-Frankivsk and Lviv, Ukraine, but they did not provide further detail about what the evidence revealed.

The pair of alleged Black Basta co-conspirators are accused of specializing in stealing credentials, which were used to break into targeted companies’ networks, steal confidential data and launch malware to encrypt data for extortion attempts.

International law enforcement agencies’ ongoing efforts to target Black Basta and its alleged participants underscores a sustained effort to track cybercriminals despite the group’s relative dormancy. 

Black Basta’s data leak site was shut down shortly after its internal chats were leaked last year, but uncaptured cybercriminals typically scatter and join new groups in the wake of a takedown or disbandment, said Allan Liska, threat intelligence analyst at Recorded Future.

“Even if Black Basta hasn’t been active, it doesn’t mean that the people behind it haven’t been,” he said.

Ransomware experts said Nefedov’s ringleader position at Black Basta and his previous involvement with Conti was already known in law enforcement and threat intelligence circles.

“The accusation signals less about the impact of Black Basta and more about the significance of Nefedov,” said Ian Gray, vice president of cyber threat intelligence operations at Flashpoint. 

The formal naming and request for information on Nefedov aligns with a broader law enforcement strategy to target core leadership responsible for orchestrating cyberattacks, Gray added.

Ransomware response is a never-ending pursuit that consistentely attracts new players and new groups at a faster clip than law enforcement can manage. 

“You cut one head off and two appear,” Liska said. “You still have to cut the head off, you still have to stop the activity.”

While ransomware activity remains elevated, law enforcement is sticking to multidimensional countermeasures by targeting operators and affiliates, initial access brokers, infostealers, infrastructure providers and key services criminals use to deploy or facilitate the ransomware ecosystem.

These takedowns, seizures, indictments and arrests are sometimes organized under ongoing international sting operations such as Operation Endgame, which has neutralized malware networks, remote access trojans, botnets and other cybercrime enablers. 

“These operations can’t be one-and-done,” Liska said. “They have to be interconnected and use that intelligence to build more cases against other actors.”

The post Black Basta’s alleged ringleader identified as authorities raid homes of other members appeared first on CyberScoop.

A 43-year-old Ukrainian national allegedly involved in the Conti ransomware group pleaded not guilty in federal court Thursday to cybercrime charges that could land him in prison for up to 25 years, according to court documents.

Oleksii Oleksiyovych Lytvynenko, also known as Alexsey Alexseevich Litvinenko, was arrested in Ireland in July 2023, extradited to the United States earlier this month and remains in federal custody in Tennessee where at least three of his alleged victims are based. 

Lytvynenko left Ukraine in 2022 and obtained temporary protective status in Ireland, residing in Cork at the time of his arrest. He and his Conti co-conspirators are accused of infiltrating victims’ computer networks, stealing and encrypting data, and demanding ransoms to restore data access and prevent data leaks.

Lytvynenko and his co-conspirators used Conti ransomware to attack more than 1,000 victims globally, ensnaring victims in 47 states, Washington, Puerto Rico and about 31 countries, according to the Justice Department. The FBI estimates Conti extorted more than $150 million in ransom payments from victims.

“Lytvynenko conspired to deploy Conti ransomware against victims in the United States and across the globe, extorting millions in cryptocurrency and amassing a trove of stolen data,” Brett Leatherman, assistant director of the FBI’s Cyber Division, said in a statement. “His extradition demonstrates the strength of our partnership with Irish law enforcement and the FBI’s commitment to counter cyber criminals who threaten American infrastructure.”

Conti was among the most prolific ransomware groups globally for a time, impacting hundreds of critical infrastructure providers, Costa Rica’s government in 2022, and ultimately leading the State Department to offer a $10 million reward for information related to Conti’s leaders. The group was notoriously resilient, bouncing back with new infrastructure and hitting new targets after a massive leak exposed chats between the group’s members in 2022. 

Conti disbanded later that year, but members of the Cyrillic-language group rebranded under three subgroups: Zeon, Black Basta and Quantum, which quickly rebranded to Royal, before rebranding again to BlackSuit in 2024. 

Lytvynenko and his co-conspirators allegedly extorted about $634,000 in Bitcoin in 2020 and 2021 from two victims in Tennessee, including an undisclosed government entity that resulted in the compromise of a sheriff’s department, local emergency medical services and a local police department, according to an unsealed indictment in the U.S. District Court for the Middle District of Tennessee.

Prosecutors allege Lytvynenko and his co-conspirators leaked data they stole from another Tennessee-based victim, an undisclosed business, after it refused to pay a $3 million ransom demand.

Four of Lytvynenko’s alleged co-conspirators — Maksim Galochkin, Maksim Rudenskiy, Mikhail Mikhailovich Tsarev and Andrey Yuryevich Zhuykov — were indicted in 2023 in the same federal court for crimes related to their suspected involvement in Conti attacks from 2020 to 2022. 

Lytvynenko was allegedly engaged in cybercrime up until days before his arrest, and prosecutors accuse him of controlling data stolen from multiple Conti victims. He was also involved in ransom notes deployed on victims’ systems, according to the indictment. 

Prosecutors said Lytvynenko remained engaged in cybercrime after Conti broke up. At the time of his arrest, Lytvynenko “was asleep but within arms’ reach of an open laptop running Cobalt Strike,” prosecutors said in the indictment. 

Irish police told the FBI the Cobalt Strike instances were connected to active intrusions into victim networks, and his laptop also had open chat applications discussing ongoing cyberattacks, according to the indictment.

Officials secured Lytvynenko’s extradition to the U.S. after he exhausted his appeals in Ireland. Prosecutors argued he poses a substantial flight risk and danger to the community. Lytvynenko waived his right to a detention hearing during his initial court appearance Thursday, but he reserves the right to request a detention hearing at a later date.

He is charged with computer fraud conspiracy and wire fraud conspiracy. 

“Ransomware is a significant threat to the safety, security, and prosperity of American citizens and business,” Matthew R. Gelotti, acting assistant attorney general, said in a statement. “The department will continue to pursue ransomware actors all over the world in its efforts to hold them to account for the damage they have inflicted on victims.”

You can read the full indictment below.

The post Ukrainian allegedly involved in Conti ransomware attacks faces up to 25 years in jail appeared first on CyberScoop.