Friend
Professional
- Messages
- 2,653
- Reaction score
- 851
- Points
- 113
U.S. Charges Alleged Member of Russian Karakurt Ransomware Group
This week, a U.S. court indicted a member of a Russian cybercriminal group on charges of money laundering, financial fraud and extortion, according to a statement from the U.S. Department of Justice (DOJ).
Denis Zolotarevs, a 33-year-old Latvian citizen living in Moscow, was arrested by law enforcement agencies of the Republic of Georgia in December 2023 and extradited to the United States earlier this month.
According to court documents, Zolotarev is linked to the Karakurt ransomware group, which steals victims' data and threatens to make it public if the ransom is not paid in cryptocurrency.
The group maintains a leak site and auction portal that lists victim companies and offers stolen data for download. The group's ransom demands ranged from $25,000 to $13 million in Bitcoin.
Previous reports have indicated that Karakurt was linked to the now-defunct Conti ransomware gang. Researchers speculate that Karakurt was a side operation of the group behind Conti, allowing them to monetize data stolen during attacks where organizations managed to block the ransomware encryption process.
Zolotarev allegedly operated under the pseudonym "Sforza_cesarini" and was an active member of Karakurt. He is accused of communicating with other members, laundering cryptocurrency, and extorting victims of the group. According to the Justice Department, he is the first alleged member of the group to be arrested and extradited to the United States.
Court documents link the Zolotaryovs to attacks on at least six unnamed U.S. companies.
In one 2021 attack, Karakurt stole "a large amount of private customer data," including medical records, social security numbers matching names, addresses, dates of birth, home addresses, and lab results. Karakurt demanded a ransom of approximately $650,000, but the company lowered it to $250,000.
Zolotarevs was likely responsible for negotiating the "unsolved Karakurt extortion case," as well as conducting open-source research to identify phone numbers, emails, or other accounts through which victims could be contacted and pressured to either pay the ransom or re-enter the chat with the ransomware group. "Unsolved extortion cases" refer to cases of extortion that remain unsolved for a long period.
"Some chats indicated that Sforza's efforts to revive unsolved cases were successful in obtaining a ransom," court documents say.
DENISS ZOLOTARJOVS
a.k.a "Sforza_cesarini"
• Source: https://therecord.media/us-charges-alleged-karakurt-ransomware-member
• Source: https://www.justice.gov/usao-sdoh/pr/member-russian-cybercrime-group-charged-ohio
• Source: https://www.documentcloud.org/documents/25056801-karakurt
• Source: https://storage.courtlistener.com/recap/gov.uscourts.ohsd.295290/gov.uscourts.ohsd.295290.4.0.pdf
• Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-152a
--------------------------
• Author: bratvacorp
Officially: https://storage.courtlistener.com/recap/gov.uscourts.ohsd.295290/gov.uscourts.ohsd.295290.4.0.pdf
News: https://therecord.media/us-charges-alleged-karakurt-ransomware-member
Briefly:
- Denis Zolotarev, a 33-year-old Latvian citizen living in Moscow, was arrested in December 2023 in Georgia and extradited to the United States this month
- in Karakurt's rocketchat he was known as "Sforza_cesarini"
- participated in at least 6 attacks on US
companies - role in the group - osinter on "cold cases" - called, negotiated and safely pulled out ransoms
Jambs:
1)
[/QUOTE]
"On or about August 11, 2021, two employees of Company-1 received an email from the Google account Karakurtlair@gmail.com."
[/QUOTE]
I wouldn't sacrifice an inbox for the sake of privacy - it's too easy to pull information for them from Google (up to cross-logins to other services through a meta-date).
2)
Apparently, the FBI has working methods for establishing the real IP address of the tor service. This does not mean that you should not use Tor, but it may be worth laying down the risk that the server will be installed and the host will receive requests.
3)
The FBI had access to the chat even before they received the contents of the servers - through a chat participant who leaked logs to them.
4)
In the rocket chat, they again chattered about everything to the delight of the Americans - including confirming the connection between their brands.
5)
It was 2022, and the guys continued to launder bitcoin into personal wallets, which were also opened on crypto exchanges, over which the Americans have full control.
6)
We conclude that the JSSS has the Garantex base, and the FBI has Bitcoin24.pro.
7)
Some people have a harmful stereotype that Apple allegedly protects their data and does not properly cooperate with law enforcement agencies (or gives a minimum of information). Here is a specific example - when they gave away not only registration data, including the phone, but also IP addresses for (!) 3 years.
8)
+
Who is too lazy to read English - briefly - Zolotaryov contacted the infosec journalist and offered to publish the leak of the victim or contact her to confirm it (in order to put pressure on it in the negotiations), the journalist refused and (unexpectedly!) leaked the entire FBI, including the proton box from which the anonymous contacted. Zolotaryov had a terrible OpSec and with the help of a meta-date already collected between his accounts - they prove to the judge, that he was in charge of them all.
9)
+
I don't even know how to comment on this: when the FBI contacted Zolotaryov, he pretended to be an infosec-researcher and offered to leak information to Karakurt - he gave basic data, showed a screenshot of the chat (where he burned his own nickname) and asked for more information - 365k bucks (it seems that karma has caught up).
These are the adventures of Deniska, baby.
This week, a U.S. court indicted a member of a Russian cybercriminal group on charges of money laundering, financial fraud and extortion, according to a statement from the U.S. Department of Justice (DOJ).
Denis Zolotarevs, a 33-year-old Latvian citizen living in Moscow, was arrested by law enforcement agencies of the Republic of Georgia in December 2023 and extradited to the United States earlier this month.
According to court documents, Zolotarev is linked to the Karakurt ransomware group, which steals victims' data and threatens to make it public if the ransom is not paid in cryptocurrency.
The group maintains a leak site and auction portal that lists victim companies and offers stolen data for download. The group's ransom demands ranged from $25,000 to $13 million in Bitcoin.
Previous reports have indicated that Karakurt was linked to the now-defunct Conti ransomware gang. Researchers speculate that Karakurt was a side operation of the group behind Conti, allowing them to monetize data stolen during attacks where organizations managed to block the ransomware encryption process.
Zolotarev allegedly operated under the pseudonym "Sforza_cesarini" and was an active member of Karakurt. He is accused of communicating with other members, laundering cryptocurrency, and extorting victims of the group. According to the Justice Department, he is the first alleged member of the group to be arrested and extradited to the United States.
Court documents link the Zolotaryovs to attacks on at least six unnamed U.S. companies.
In one 2021 attack, Karakurt stole "a large amount of private customer data," including medical records, social security numbers matching names, addresses, dates of birth, home addresses, and lab results. Karakurt demanded a ransom of approximately $650,000, but the company lowered it to $250,000.
Zolotarevs was likely responsible for negotiating the "unsolved Karakurt extortion case," as well as conducting open-source research to identify phone numbers, emails, or other accounts through which victims could be contacted and pressured to either pay the ransom or re-enter the chat with the ransomware group. "Unsolved extortion cases" refer to cases of extortion that remain unsolved for a long period.
"Some chats indicated that Sforza's efforts to revive unsolved cases were successful in obtaining a ransom," court documents say.
DENISS ZOLOTARJOVS
a.k.a "Sforza_cesarini"
• Source: https://therecord.media/us-charges-alleged-karakurt-ransomware-member
• Source: https://www.justice.gov/usao-sdoh/pr/member-russian-cybercrime-group-charged-ohio
• Source: https://www.documentcloud.org/documents/25056801-karakurt
• Source: https://storage.courtlistener.com/recap/gov.uscourts.ohsd.295290/gov.uscourts.ohsd.295290.4.0.pdf
• Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-152a
--------------------------
• Author: bratvacorp
Officially: https://storage.courtlistener.com/recap/gov.uscourts.ohsd.295290/gov.uscourts.ohsd.295290.4.0.pdf
News: https://therecord.media/us-charges-alleged-karakurt-ransomware-member
Briefly:
- Denis Zolotarev, a 33-year-old Latvian citizen living in Moscow, was arrested in December 2023 in Georgia and extradited to the United States this month
- in Karakurt's rocketchat he was known as "Sforza_cesarini"
- participated in at least 6 attacks on US
companies - role in the group - osinter on "cold cases" - called, negotiated and safely pulled out ransoms
Jambs:
1)
[/QUOTE]
"On or about August 11, 2021, two employees of Company-1 received an email from the Google account Karakurtlair@gmail.com."
[/QUOTE]
I wouldn't sacrifice an inbox for the sake of privacy - it's too easy to pull information for them from Google (up to cross-logins to other services through a meta-date).
2)
Apparently, the FBI has working methods for establishing the real IP address of the tor service. This does not mean that you should not use Tor, but it may be worth laying down the risk that the server will be installed and the host will receive requests.
3)
The FBI had access to the chat even before they received the contents of the servers - through a chat participant who leaked logs to them.
4)
In the rocket chat, they again chattered about everything to the delight of the Americans - including confirming the connection between their brands.
5)
It was 2022, and the guys continued to launder bitcoin into personal wallets, which were also opened on crypto exchanges, over which the Americans have full control.
6)
We conclude that the JSSS has the Garantex base, and the FBI has Bitcoin24.pro.
7)
Some people have a harmful stereotype that Apple allegedly protects their data and does not properly cooperate with law enforcement agencies (or gives a minimum of information). Here is a specific example - when they gave away not only registration data, including the phone, but also IP addresses for (!) 3 years.
8)
+
Who is too lazy to read English - briefly - Zolotaryov contacted the infosec journalist and offered to publish the leak of the victim or contact her to confirm it (in order to put pressure on it in the negotiations), the journalist refused and (unexpectedly!) leaked the entire FBI, including the proton box from which the anonymous contacted. Zolotaryov had a terrible OpSec and with the help of a meta-date already collected between his accounts - they prove to the judge, that he was in charge of them all.
9)
+
I don't even know how to comment on this: when the FBI contacted Zolotaryov, he pretended to be an infosec-researcher and offered to leak information to Karakurt - he gave basic data, showed a screenshot of the chat (where he burned his own nickname) and asked for more information - 365k bucks (it seems that karma has caught up).
These are the adventures of Deniska, baby.
