A new ransomware operation known as Tramp is following the same attack patterns as the infamous Black Basta group, leading security researchers to investigate whether it is either a direct successor or an independent group or individual that has adopted its methods.
Black Basta is a sophisticated ransomware group that emerged in April 2022, though evidence suggests it may have been active since February of that year.
Operating as a Ransomware-as-a-Service (RaaS) enterprise, Black Basta is believed to be composed of former members of notorious ransomware groups like Conti and REvil.
The group has rapidly gained notoriety for its highly targeted attacks, employing double extortion tactics where they encrypt victims’ data and threaten to release sensitive information if ransoms are not paid.
As of May 2024, Black Basta had breached over 500 organizations worldwide, including critical infrastructure sectors, and has extorted more than $100 million from its victims.
Tramp employs phishing scams to infiltrate corporate networks, a tactic Black Basta was previously documented using. The group’s attack model also mirrors its predecessor’s double-extortion strategy—encrypting victims’ files while threatening to publish stolen data unless a ransom is paid.
Black Basta affiliates are known to leverage exploit vulnerabilities, and abuse valid credentials to gain initial access to victim networks. The near-identical approach used by Tramp suggests the possibility of shared infrastructure or personnel.
Records show Tramp’s connection to LockBit 2.0 and 3.0, with his activities being observed in at least 28 LockBit-related ransomware incidents in 2022, which were linked to a virtual machine.
His role in ransomware dates even further back, with a consistent use of the highly insecure password “123123” for file protection, a pattern observed across multiple ransomware groups, including REvil and Conti.
In 2021, Tramp was involved in a dispute within REvil’s affiliate program, where he lost access to the ransomware negotiation platform and sought arbitration on a well-known cybercriminal forum. Using the handle washingt0n32, he claimed to have “more than 10 years” of experience in penetration testing, indicating that his involvement in cybercrime extends beyond ransomware into broader hacking activities.
Leaked Black Basta Chat Logs Hint at Tramp’s Origins
Evidence linking Tramp to Black Basta comes from exposed leaked internal conversations between Black Basta affiliates shared by PRODAFT on X, a cyber threat intelligence company that specializes in proactive cybersecurity solutions.
The chat logs revealed internal disputes over ransom pricing and attack strategies, with one member stating: “We need to standardize the ransom percentage. Custom pricing is leading to too many inconsistencies.”
The leak also confirmed Black Basta’s move toward more advanced encryption tools and targeted attacks, which researchers believe may have contributed to the development of Tramp.
With Tramp’s operational model aligning so closely with Black Basta’s, analysts are investigating whether former members of the now-diminished group have resurfaced under a new identity.
🔍 As part of our continuous monitoring, we've observed that BLACKBASTA (Vengeful Mantis) has been mostly inactive since the start of the year due to internal conflicts. Some of its operators scammed victims by collecting ransom payments without providing functional decryptors.…
— PRODAFT (@PRODAFT) February 20, 2025
Tramp’s Connection to REvil and the Evolution of Ransomware Operations
The rise of Tramp follows a pattern seen repeatedly in ransomware operations, where one group disappears only for another to take its place using near-identical tactics. Before Black Basta, a dominant force in ransomware was REvil, which gained notoriety for its large-scale attacks before being dismantled by international law enforcement in 2021.
Despite major arrests linked to REvil, its affiliates did not vanish. Many transitioned to Black Basta, which quickly became one of the most disruptive ransomware groups. Now, Tramp appears to be continuing this trend, leading cybersecurity analysts to suspect that some former Black Basta or REvil operators are involved.
Ransomware groups often restructure under new names. This ability to adapt and rebrand is what makes ransomware such a persistent cybersecurity threat.
According to an unnamed source that shared information with LeMagIT, the pseudonym Tramp is used by Oleg Nefedov, a former member of the late Conti and one of the leaders of the Black Basta ransomware gang, who had been arrested in Armenia in June 2024, but released due to a missed deadline.
This source also told LeMagIT that Tramp is supported by Russian intelligence services, stating “He has the best protection in Russia. He has friends in the security services. He even pays the FSB and the GRU”, and that “Nobody has that kind of money or that level of security anymore.”
Their investigations corroborate plenty of evidence that point to Oleg Nefedov being Tremp. According to the report, Tramp also uses the pseudonyms p1ja, AA, GG, besides washingt0n32.
Nefedov is said to be soon turning 35 and to originate from Ioshkar-Ola, the capital of the Mari Republic in Russia. His background includes a strong interest in cryptocurrencies, as evidenced by his association with an account on btc-e.com, a now-defunct cryptocurrency exchange that suffered a data breach in 2014.
In 2017, he was involved with Bitsoft, a Russian cloud mining company focused on Ethereum, Litecoin, and Zcash, where he registered multiple domain names. His early financial records indicate modest earnings from Bitsoft, which later transitioned to revenue from another company, Polis, before both entities were dissolved by 2024.
Despite reporting relatively low income in his early years, Nefedov reportedly maintained a luxurious lifestyle, driving high-end vehicles such as a BMW X6 M50D, a Mercedes AMG S63 4MATIC, a Porsche Macan, and, more recently, a Mercedes G-Class AMG G63 SUV.
Since at least 2022, he is said having invested in high-end lounges with a global presence, spanning Dubai, Abu Dhabi, Baku, Moscow, and Bali. He is also said to have founded a charity named Rodina, meaning “Motherland” in Russian.
Tramp’s emergence demonstrates how ransomware groups continuously adapt, adopting proven attack methods while integrating new tactics.
As cybersecurity firms work to track its activities, the bigger concern is how quickly new ransomware brands can replace older ones. With links to past operations like Black Basta and REvil, Tramp is not just another ransomware group—it represents the ongoing evolution of organized cybercrime.
