Employees of both large enterprises and small organizations—particularly those at the C-suite level—often assume that ransomware attacks are launched quickly, with hackers attempting to extort money from victims as fast as possible. This perception, however, is far from accurate. In reality, most ransomware campaigns are the result of extensive planning, reconnaissance, and methodical execution. Successful attacks rely on careful preparation and scientific precision rather than impulsive action.
Simply put, ransomware groups—regardless of their size—carry out significant groundwork before infiltrating a corporate network. According to recent findings from coordinated police raids conducted by Ukrainian authorities in collaboration with German law enforcement, hackers typically deploy ransomware in a structured, multi-stage manner. Investigators revealed that attackers often use two distinct variants of attack strategies. The first phase focuses on scanning and analyzing a target network to identify vulnerabilities, while also harvesting employee credentials. Only after this intelligence-gathering stage do attackers deploy ransomware, using the stolen credentials to move laterally and deepen their access.
Ukrainian police also confirmed that the alleged leader of the Black Basta ransomware gang has been placed on Europol and Interpol’s most wanted lists. Germany’s Federal Criminal Police Office (BKA) identified the suspect as Oleg Evgenievich Nefedov, a 35-year-old Russian national believed to be the mastermind behind the Black Basta ransomware operation.
During search operations conducted in the Ivano-Frankivsk and Lviv regions of Ukraine, law enforcement agencies apprehended two individuals suspected of having links to Russian intelligence services. These arrests provided further insight into how the Black Basta group operates. Investigators determined that the gang typically executes attacks in two main phases: gaining initial access to the network and collecting sensitive intelligence—such as employee usernames and passwords—followed by encrypting databases and locking systems after exfiltrating portions of valuable data.
The individuals responsible for the early stages of ransomware infiltration are commonly referred to as “hash crackers.” Their role involves using specialized tools to crack passwords, steal authentication data, and carry out social engineering attacks. Techniques such as phishing emails are frequently used to trick unsuspecting employees into revealing credentials or falling into carefully designed digital “honey traps.”
Ukrainian authorities also reported the seizure of data storage devices and cryptocurrency wallets during the raids. Investigators believe these assets were used to store stolen data and manage ransom payments. Officials further stated that Nefedov is suspected of leading the Black Basta gang, which has known ties to the now-defunct Conti ransomware group—a cybercriminal organization previously linked to the infamous Ryuk ransomware attacks.
Join our LinkedIn group Information Security Community!
