Full Report
A Latvian national was sentenced today to 102 months in prison for his role in a major Russian ransomware organization that stole from and extorted over 54 companies. “With this sentence, a cruel, ruthless, and dangerous international cybercriminal is now behind bars,” said Assistant Attorney General A. Tysen Duva of the Justice Department’s Criminal Division. “Deniss Zolotarjovs helped his ransomware gang profit from hacks of dozens of companies, and even on a government entity whose 911 system was forced offline. He also used stolen children’s health information to increase his leverage to extort victim payments. The Criminal Division will continue to investigate and prosecute international hackers and extortionists from around the world, no matter where they live or operate.” “Ransomware groups disrupt victims’ lives, cruelly extracting money through psychological manipulation and fear. And they create lingering security issues,” said U.S. Attorney Dominick S. Gerace II for the Southern District of Ohio. “Cybercriminals might think they are invulnerable by hiding behind anonymizing tools and complex cryptocurrency patterns while they attack American victims from non-extradition countries. But Zolotarjovs’s prosecution shows that federal law enforcement also has a global reach, and we will hold accountable bad actors like Zolotarjovs, who will now spend significant time in prison.”
Analysis Summary
# Threat Actor: Deniss Zolotarjovs (Денисс Золотарёвс)
## Attribution & Identity
* **Identity:** Deniss Zolotarjovs, a 35-year-old Latvian national.
* **Associated Groups:** Member of a major Russian ransomware organization led by former leaders of the **Conti** ransomware group.
* **Associated Brands/Aliases:** The organization operated under various brands including:
* Conti
* Karakurt
* Royal
* TommyLeaks
* SchoolBoys Ransomware
* Akira
* **Operating Location:** Historically operated out of an office building on Lakhtinskaya Street in St. Petersburg, Russia.
## Activity Summary
Between June 2021 and August 2023, Zolotarjovs participated in a prolific cybercriminal conspiracy that victimized over 54 companies. His role involved active extortion and money laundering within a hierarchical Russian organization. He was arrested in Georgia (the country) in December 2023 and extradited to the United States in August 2024. In May 2026, he was sentenced to 102 months in prison.
## Tactics, Techniques & Procedures
* **Data Exfiltration & Extortion:** Stealing sensitive corporate data and threatening its release to compel ransom payments.
* **Psychological Manipulation:** Using high-pressure tactics, including the exploitation of stolen children’s healthcare information to increase leverage over victims.
* **Operational Obfuscation:** Use of anonymizing tools and complex cryptocurrency transaction patterns to hide financial trails.
* **Infrastructure Camouflage:** Use of a network of shell companies registered across Russia, Europe, and the U.S. to mask operations.
* **Corruption & Insider Access:** Co-opting Russian government databases and law enforcement connections (leveraging former Russian officers within the group) to intimidate detractors and vet recruits.
* **Double Extortion:** Not only encrypting/locking systems but also leaking stolen data (notable in the use of "leaks" brands like TommyLeaks).
## Targeting
* **Sectors:** Healthcare, Government/Public Safety, and various corporate sectors.
* **Geography:** Primarily United States, but the group operated globally.
* **Victims:**
* Over 54 companies globally.
* A U.S. government entity (resulting in a 911 emergency system shutdown).
* Healthcare providers (involving children’s health records).
## Tools & Infrastructure
* **Malware Families:** Associated with the deployment and management of **Conti, Royal, and Akira** ransomware variants.
* **Anonymizing Tools:** Used to hide IP addresses and geographic locations.
* **Cryptocurrency:** Used for the receipt and laundering of extortion payments.
* **Physical Infrastructure:** Known office presence on **Lakhtinskaya Street, St. Petersburg, Russia**.
## Implications
This case highlights the evolution of the Conti successor groups into a decentralized "multi-brand" model, allowing actors to rotate through different ransomware identities (Akira, Royal, etc.) to evade sanctions or law enforcement heat. The involvement of former Russian law enforcement officials and the use of government databases suggest a high level of state-tolerated "enabling" environments that allow these actors to operate with sophistication and relative local impunity until they travel to extraditable jurisdictions.
## Mitigations
* **Data Protection:** Implement robust encryption for sensitive data at rest, particularly for PII and healthcare records, to reduce extortion leverage.
* **Resilience Planning:** Ensure critical infrastructure (like 911 systems) is segmented from general corporate networks to prevent ransomware lateral movement.
* **Vulnerability Management:** Regularly patch known vulnerabilities exploited by Conti/Akira affiliates (e.g., VPN vulnerabilities and RDP exposures).
* **Extradition Awareness:** Law enforcement strategy focuses on "the long game," tracking actors until they enter jurisdictions with U.S. extradition treaties (e.g., Georgia).