Ukrainian National Pleads Guilty in Nefilim Ransomware Conspiracy

A Ukrainian national has pleaded guilty in federal court in Brooklyn to conspiracy to commit computer fraud in connection with the deployment of the Nefilim ransomware against corporate computer networks in the United States and other countries.

Artem Aleksandrovych Stryzhak, 35, of Barcelona, Spain, admitted that he conspired with others to use the ransomware to damage victim systems and extort payments from companies targeted in the campaign.

Prosecutors say Stryzhak was given access to the Nefilim ransomware code in June 2021 by the administrators of the ransomware in exchange for 20% of any proceeds generated from ransom demands.

Using his account on the online Nefilim “panel,” he and co‑conspirators researched prospective victims, including by pulling information on company size, revenue, and contact details from public online databases before launching attacks.

Like any other ransomware campaign, the Nefilim attack also involved generating a unique ransomware executable for each victim, along with a corresponding decryption key and tailored ransom note. If a victim chose to pay the ransom, the conspirators provided the decryption key to restore the encrypted files.

As part of their extortion tactics, the group threatened victims with the publication of stolen data on publicly accessible “Corporate Leaks” sites unless demands were met.

Nefilim Ransomware Group’s ransom note (Image credit: SentinelLABS)

Stryzhak was arrested in Spain in June 2024 and extradited to the United States in April 2025. According to the US DoJ’s press release, he is scheduled for sentencing in May 2026 and faces a statutory maximum of 10 years in prison, though a federal judge will determine his actual term based on U.S. sentencing guidelines and other factors.

The US Department of State’s Transnational Organised Crime Rewards Program has offered up to $11 million for information leading to the arrest or conviction of Stryzhak’s alleged co‑conspirator, Volodymyr Tymoshchuk, who remains at large. Tymoshchuk has also been linked to other strains like LockerGoga and MegaCortex.

Tymoshchuk Volodymyr Viktorovych on the EU Most Wanted List

****History and Status of Nefilim Ransomware****

First spotted in 2020, Nefilim is believed to be a successor to the Nemty ransomware family. It gained traction through its double-extortion approach, exfiltrating sensitive data and threatening public leaks via its “Corporate Leaks” site unless ransom demands were met.

According to SentinelOne’s analysis, throughout its active period, Nefilim targets have included high‑revenue companies and large enterprises, especially in the United States, Canada, Australia, and Europe.

Although Nefilim activity has dropped since 2022, its tactics, especially the combination of data theft and encryption, have influenced many ransomware campaigns that followed.

Although Nefilim isn’t as active today and parts of its operation have been taken down by law enforcement, its methods still influence how ransomware groups operate. The use of double extortion and affiliate-based attacks has become a standard practice for many of the newer campaigns.