Key Takeaways

  • Artem Stryzhak admitted to conspiring in ransomware attacks targeting high‑revenue organizations in multiple countries
  • Prosecutors say he joined the Nefilim operation in 2021, receiving a cut of ransom proceeds in exchange for deploying customized malware
  • U.S. authorities continue to seek alleged ringleader Volodymyr Tymoshchuk, with a reward of up to $11 million for information leading to his capture

A Ukrainian national has pleaded guilty to participating in a series of Nefilim ransomware attacks aimed at large companies across the United States and several other countries. The defendant, 35‑year‑old Artem Aleksandrovych Stryzhak, was arrested in Spain in June 2024 and extradited to the United States in April 2025. His plea, announced Friday, brings another significant figure in the Nefilim ecosystem into U.S. custody—a rare development in ransomware cases.

The charges center on computer fraud conspiracy tied to attacks against organizations in the United States, Norway, France, Switzerland, Germany, and the Netherlands. It is a roster that underscores a familiar trend: threat actors continue to zero in on enterprises with deep pockets and sprawling digital footprints. Sentencing is scheduled for May 6, 2026, and Stryzhak faces up to 10 years in prison.

According to court filings, Stryzhak’s involvement began in mid‑2021, when he allegedly obtained access to the Nefilim ransomware codebase. The arrangement, as described by prosecutors, was straightforward—he would receive 20% of any ransom payment extracted from victims he targeted. That detail alone offers a glimpse into how these loosely affiliated criminal networks operate. There is often a franchised structure to the operations, resembling a revenue‑sharing model.

The Nefilim group has been known for developing customized malware builds for each targeted organization. Decryption keys, ransom notes, and the overall payload were tailored per victim. Ransomware groups have long understood the value of personalization, especially when approaching companies with annual revenues above $100 million. In this case, the customization appears to have been a core selling point within the criminal enterprise.

After joining the operation, Stryzhak allegedly focused on enterprises in the U.S., Canada, and Australia, specifically targeting organizations with revenues exceeding $100 million. However, court documents indicate that a Nefilim administrator encouraged him to aim even higher, suggesting that companies generating more than $200 million annually were more lucrative targets. This distinction highlights how specifically cybercriminals profile organizations based on perceived financial capacity.

Researching victims was not an ad hoc process. Prosecutors say Stryzhak and his accomplices used online commercial data platforms, including ZoomInfo, to gather information on revenue, company size, and executive contact details. It is not the first time investigators have highlighted threat actors' use of legitimate business intelligence tools. While startling to some observers, cybercriminals routinely rely on the same datasets that sales organizations use for prospecting to build their target lists.

The pressure tactics extended beyond encryption. As seen across countless ransomware incidents, data exfiltration was central to the Nefilim playbook. The group threatened to leak stolen information on "Corporate Leaks" websites operated by Nefilim administrators unless victims paid the ransom. Double extortion has become a standard operating procedure, increasing the risk for large enterprises that manage sensitive customer or operational data.

Meanwhile, there is still an active hunt for an alleged co‑conspirator. The U.S. State Department continues to offer up to $11 million for information leading to the arrest of Ukrainian national Volodymyr Tymoshchuk. He remains at large and appears on the most‑wanted lists of both the FBI and the European Union. In September, U.S. prosecutors charged him with acting as an administrator not only for Nefilim but also for the LockerGoga and MegaCortex ransomware operations.

Tymoshchuk is believed to have played a role in attacks that compromised hundreds of companies globally between July 2020 and October 2021, causing millions of dollars in damages. While law enforcement has made progress in identifying participants within these ecosystems, bringing leaders like Tymoshchuk into custody remains a significant hurdle. This highlights the ongoing challenge for global enterprises in planning for criminal networks that operate across borders and evade traditional jurisdictional boundaries.

Despite uneven transitions between law enforcement successes and ongoing threats, the broader theme is clear. Large‑scale ransomware operations continue to evolve, leveraging profit‑sharing models, specialized malware development, and increasingly polished victim‑research pipelines. The guilty plea in Stryzhak’s case marks a tangible win for investigators, but the larger ecosystem behind Nefilim remains a threat.

For enterprise IT and security leaders, the case serves as a reminder that ransomware groups persist in seeking out the most economically attractive targets—and that their methods increasingly resemble structured business operations. However, the pursuit of key ransomware administrators by international agencies suggests that pressure on these networks is growing, even if the road ahead remains complex.