Nefilim ransomware suspect extradited from Spain to US

Avatar

A Ukrainian citizen has been charged and extradited to the United States for allegedly using Nefilim ransomware to attack large companies in the U.S. and elsewhere, federal prosecutors said Thursday.

Artem Stryzhak, 35, was arrested in Spain in 2024 and sent to the U.S. on Tuesday, according to a news release from the U.S. attorney for the Eastern District of New York. He was expected to appear Thursday before a federal judge in Brooklyn.

A highly redacted indictment unsealed Thursday describes the Nefilim ransomware scheme, alleging that Stryzhak and others agreed to give administrators 20 percent of their proceeds in exchange for access to the malware. Prosecutors focused on a spree that started in the summer of 2020 and continued into the fall of 2021.

Nefilim attacks have caused “millions of dollars in losses” overall between ransom payments and damage to computer systems, the news release said. The ransomware operation, also known as Nephilim, was a rebrand of an earlier scheme known as Nemty

Stryzhak’s access to the ransomware began in June 2021, prosecutors said, and he was encouraged to target companies in the U.S., Canada or Australia with more than $200 million in annual revenue. At its peak, Nefilim was known for securing larger payouts in comparison to other operations who were less choosy with targets.

The indictment says Nefilim victims in the U.S. included companies in industries such as aviation, engineering, chemicals, eyewear, insurance, construction, energy and pet care. The ransomware’s users also deployed otherwise legal tools such as the file-transfer software WinSCP and hacking platform Cobalt Strike, the indictment said.

“The perpetrators of Nefilim typically customized the ransomware executable file for each victim, creating a unique decryption key and customized ransom notes,” the news release said. “If the victims paid the ransom demand, the perpetrators sent the decryption key, enabling the victims to decrypt the computer files locked by the ransomware program.”

Stryzhak faces charges of conspiracy to commit fraud and related activity, including extortion, in connection with computers.

CybercrimeNewsNews Briefs
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Joe Warminsky

is the news editor for Recorded Future News. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. He previously he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.

 

Total
0
Shares
Previous Post

North Korean IT worker scam is now a threat to all companies, cybersecurity experts say

Next Post

More than 100,000 impacted by December data breach at Ascension Health

Related Posts

Crypto Developers Targeted by Python Malware Disguised as Coding Challenges

The North Korea-linked threat actor assessed to be behind the massive Bybit hack in February 2025 has been linked to a malicious campaign that targets developers to deliver new stealer malware under the guise of a coding assignment. The activity has been attributed by Palo Alto Networks Unit 42 to a hacking group it tracks as Slow Pisces, which is also known as Jade Sleet, PUKCHONG,
Avatar
Read More

DslogdRAT Malware Deployed via Ivanti ICS Zero-Day CVE-2025-0282 in Japan Attacks

Cybersecurity researchers are warning about a new malware called DslogdRAT that's installed following the exploitation of a now-patched security flaw in Ivanti Connect Secure (ICS). The malware, along with a web shell, were "installed by exploiting a zero-day vulnerability at that time, CVE-2025-0282, during attacks against organizations in Japan around December 2024," JPCERT/CC researcher Yuma
Avatar
Read More

251 Amazon-Hosted IPs Used in Exploit Scan Targeting ColdFusion, Struts, and Elasticsearch

Cybersecurity researchers have disclosed details of a coordinated cloud-based scanning activity that targeted 75 distinct "exposure points" earlier this month. The activity, observed by GreyNoise on May 8, 2025, involved as many as 251 malicious IP addresses that are all geolocated to Japan and hosted by Amazon. "These IPs triggered 75 distinct behaviors, including CVE exploits,
Avatar
Read More