Fraud Management & Cybercrime , Ransomware

Karakurt Ransomware Group Suspect Appears in US Courtroom

Latvian Charged With Serving as Extortion Specialist for Russian-Speaking Group
Karakurt Ransomware Group Suspect Appears in US Courtroom

A Latvian national accused of serving as a Russian-speaking ransomware group's extortion specialist appeared in a U.S. courtroom this week to face a four-count criminal indictment.

See Also: Webinar | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

Prosecutors charged Deniss Zolotarjovs, 33, previously a Moscow resident, with conspiring to commit money laundering, wire fraud and Hobbs Act conspiracy and extortion. The Hobbs Act is a federal law that prohibits extortion or robbery when its purpose is to disrupt interstate commerce.

Law enforcement agents in the country of Georgia arrested Zolotarjovs in December 2023 - the same month the country signed an extradition treaty with the United States. He remained detained in Georgia until being extradited this month to the United States, said the U.S. Department of Justice.

The defendant first appeared Tuesday in an Ohio federal court room followed by a detection hearing Friday, where a judge ordered him to be jailed, pending his trial.*

A 59-page criminal complaint against Zolotarjovs unsealed Thursday in partially redacted form says he's a Latvian citizen, holds a Latvian passport in his name and also had a Russian residence document and driver's license in his name.

Federal prosecutors have accused him of using the cybercriminal moniker "Sforza_cesarini," aka Sforza, who the FBI found was a key member of Karakurt after it obtained a large cache of chat messages between group members. The complaint details six attacks against U.S. organizations that have been tied to the group, some of which led to victims paying a ransom.

"Zolotarjovs is the first alleged group member to be arrested and extradited to the United States," the DOJ said.

Karakurt allegedly functioned as an extortion-only ransomware group, meaning it stole data but didn't leave systems crypto-locked. The group then demanded a ransom from victims in exchange for promising to not leak stolen data, as well as promising to delete it. In some cases, it also threatened to auction stolen data to the highest bidder. The group also operated a data leak site where it threatened to name victims and leak stolen data, to pressure them into paying a ransom (see: Ransomware Groups' Latest Tactic: Weaponized Marketing).

Karakurt's known ransom demands, payable in bitcoin, have ranged from $25,000 to $13 million, "with payment deadlines typically set to expire within a week of first contact with the victim," the U.S. Cybersecurity and Infrastructure Security Agency said last December in a security advisory.

"Karakurt victims have reported extensive harassment campaigns by Karakurt actors in which employees, business partners and clients receive numerous emails and phone calls warning the recipients to encourage the victims to negotiate with the actors to prevent the dissemination of victim data," CISA said. "These communications often included samples of stolen data - primarily personally identifiable information, such as employment records, health records, and financial business records."

U.S. officials previously warned that the group didn't honor its promise to not leak stolen data if victims paid a ransom.

The indictment against Zolotarjovs charges him with participating in a conspiracy that both stole data and forcibly encrypted victims' systems, demanding a ransom for a decryption tool. Whether or not this encryption might have happened under the banner of Karakurt isn't clear.

A federal judge Friday said Litkovitz "poses a serious risk of flight if released" and ordered that he "be detained pending trial." Factors cited by the judge included his "likely" access to "substantial assets" - based on the charges filed against him - as well as his "substantial ties" abroad. "His wife and children reside in Russia; his father resides in the United Kingdom; and the cyber ransom group with whom he is alleged to have committed the instant alleged offenses has extensive ties to the United Arab Emirates," the judge wrote in her detection order.*

Extortion Specialist

Prosecutors alleged that Zolotarjovs was the individual behind at least some of Karakurt's shakedowns.

"Sforza appeared to be responsible for conducting negotiations on Karakurt victim cold case extortions," the FBI said in court documents, referring to cases in which the criminals later tried to shake down victims who had already paid a ransom, as well as victims who hadn't paid.

"Some of the chats indicated Sforza's efforts to revive cold cases were successful in extracting ransom payments," the FBI said. "Sforza also discussed efforts to recruit paid journalists to publish news articles about victims in order to convince the victims to take Karakurt's extortion demands seriously." Those efforts appeared to backfire.

The FBI said that in November 2023, an unnamed "editor of an online cybersecurity news blog" told the bureau they'd been contacted by someone who claimed to be an "independent cybersecurity researcher" who found tranches of never-before-leaked stolen data and wanted the editor to convince the victims they should pay the alleged researcher in exchange for deleting their stolen data. The editor declined and passed the supposed researcher's Proton email address, anonymoux@proton.me, to the bureau, it said.

The FBI said it requested help from Swiss law enforcement, which shared the IP address used to register the Proton email account. Via link analysis, the FBI said it tied that IP address to other IP addresses used by Sforza in Karakurt chat messages, as well as Apple iCloud user dennis.zolotarjov@icloud.com, and said the IP addresses had been accessed from both Russia and Latvia.

The FBI said it tried to contact the supposed researcher and that "the individual requested approximately $365,000 in Bitcoin from the FBI in exchange for sharing additional information on the group," which the researcher said included details of how Karakurt "also operated the Akira ransomware encryptor, as well as used the names TommyLeaks and SchoolBoys Ransomware Group in the past. The individual claimed to not be a criminal."

The FBI said it unmasked Zolotarjovs in part after following the money - including tracing how a bitcoin payment to Karakurt was laundered and eventually ended up in a cryptocurrency wallet owned by the defendant.

The FBI also unmasked Zolotarjovs in part thanks to the bureau's Technical Operations Unit in 2023 executing search warrants to search servers hosting Tor-based Rocket.Chat discussions. Rocket.Chat is an open-source communications platform, which the FBI said Karakurt members used to discuss and coordinate their activities.

"The execution of those search warrants resulted in the collection of approximately 18,500 Rocket.Chat messages from a private Rocket.Chat server," with messages dating from April 2022 through August 2023, "primarily in the Russian Cyrillic language," the FBI said in court documents, noting that the group appeared to have deleted only some of its chat messages.

Ties to Conti

The chat messages recovered by the FBI suggest Karakurt had very close ties to Conti, a once-prolific Russian-speaking ransomware group. After the group publicly backed Russian President Vladimir Putin's February 2022 war of conquest against Ukraine, ransom payments flowing to Conti dried up. The group began spinning out other operations under different names as it wound down Conti.

Threat intelligence firm RedSense last year identified Conti offshoots including Black Basta, which feeds data exfiltration to BlackBye and Karakurt, as well as Royal, Zeon, Silent Ransom Group and AvosLocker.

In chat messages, Karakurt members in July and August of 2022 "discussed concerns regarding decreased returns on victimizations due to Karakurt's association with the Conti ransomware organization name," the FBI said in court documents. "The users suggested the Karakurt group needed to further distance itself from Conti by again changing their group's name to TommyLeaks, Schoolboys Ransomware Gang and Blockbit. Additionally, the users expressed disappointment that recent attacks using the TommyLeaks and Schoolboys Ransomware Gang names had already been publicly associated back to Karakurt and Conti."

One of the chat participants -who used the handle Sforza_cesarini, or Sforza - placed in the chat a copy of an extortion note also received by an unnamed company in Fort Washington, Pennsylvania. The FBI said that company received communications from TommyLeaks in September 2022 claiming that 4 terabytes of the company's data was stolen and demanding a ransom for its deletion.

In the chat messages, Sforza discussed at length the information stolen from that company, the FBI said.

Sforza also claimed to be involved in a shakedown against another company, based in Springfield, Missouri, which Karakurt hit in November 2021. The victim paid a ransom worth approximately $1.37 million to a bitcoin wallet in exchange for a promise to delete the stolen data, before getting re-extorted in September 2023, according to court documents.

Karakurt's ties to Conti appear to run deep, reinforcing previous assessments that the group is a direct offshoot. The FBI said the cluster of crypto addresses identified as "Karakurt 1PLpQH3ntG" by commercial cryptocurrency tracing software, which received some ransoms paid to the group, also "received half of the first known Conti victim ransom payment" in June 2020.

*Update Aug. 26, 2024 10:26 UTC: This story has been updated to include details of Litkovitz's first detention hearing.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing paymentsecurity.io, you agree to our use of cookies.