Karakurt

Karakurt is a Russian-linked cybercriminal extortion group active since at least mid-2021 and described in multiple sources as a data-theft and extortion operation that typically does not deploy file-encrypting ransomware. Its core model is exfiltration-based extortion: compromising victim environments, stealing data, and demanding payment in cryptocurrency under threat of leaking or selling the stolen information. Reported ransom demands ranged from $25,000 to $13 million in Bitcoin. Sources also describe Karakurt as linked to, exposed as, or led by former members or leaders of the Conti ransomware syndicate; some reporting also states it was led by former leaders of Conti and Akira. Investigators and prosecutors further reported that the broader organization used multiple brands during extortion activity, including Conti, Karakurt, Royal, TommyLeaks, SchoolBoys/SchoolBoys Ransomware, and Akira. Victimology in the provided content indicates broad, opportunistic targeting rather than a strict sector focus, with victims selected in part based on ease of access. Most published victims during one 2021 period were based in North America, though victims in Europe are also mentioned. Reported victim types include businesses, healthcare organizations, government entities, and humanitarian or migration-related organizations. Specific impacts described in the content include theft of medical records, children’s health information, financial documents, banking data, personal information, and disruption of a U.S. government entity’s 911 emergency dispatch system. Observed tradecraft includes initial access via purchased stolen credentials or access bought from other criminals, and in NCC Group cases, use of legitimate Active Directory credentials against single-factor Fortinet FortiGate VPN servers. The group has been reported using living-off-the-land techniques, long dwell times, lateral movement via PsExec and RDP, early discovery on domain controllers, DNS zone exports associated with Event ID 3150, NTDS.dit extraction via Volume Shadow Copy, and staging data on servers with sensitive file shares. Tools and utilities explicitly mentioned in the content include Cobalt Strike, AnyDesk, Mimikatz, PowerShell, 7-Zip, WinZip, Rclone, FileZilla, and Mega.io. AnyDesk is specifically described as a persistence mechanism used by Karakurt. The group operates leak and auction infrastructure, has published victim data on a public leak site, added a search function to make blackmail more effective, and has used Telegram and public “press release” style posts to pressure victims. U.S. government reporting cited in the content states Karakurt commonly provides screenshots or file-directory samples as proof of theft and has harassed victims’ employees, partners, and clients by email and phone to increase pressure. The content also links Karakurt to re-extortion or follow-on extortion behavior. Arctic Wolf referenced prior Karakurt re-extortion attempts against victims previously targeted by Conti, and noted historical association of follow-on extortion with Conti and Karakurt activity. Law-enforcement reporting in the content ties Karakurt to Deniss Zolotarjovs, also known as "Sforza_cesarini," a Latvian national linked to the operation as a negotiator involved in so-called "cold case extortions." Court and DOJ reporting cited here state he helped analyze stolen data, set ransom demands, communicate with victims, launder cryptocurrency, and revive stalled negotiations. The provided content states he was the first known/alleged Karakurt member arrested, extradited, charged, and sentenced in the United States.