Credential Theft
- Mimikatz
Karakurt is a Russia-linked cyber extortion operation associated with the broader Conti/TrickBot criminal ecosystem and active since at least 2020, with activity observed from mid-2021 onward.
Profile source: Mallory opens in a new tabKaraKurt
Karakurt is a Russia-linked cyber extortion operation associated with the broader Conti/TrickBot criminal ecosystem and active since at least 2020, with activity observed from mid-2021 onward. It is widely characterized as an extortion-focused ransomware brand that often emphasized data theft and coercive leak threats rather than relying solely on file encryption, making it part of the broader trend toward encryption-less or pure extortion operations. The group has been linked to former Conti members and has appeared alongside other successor or affiliated brands including Royal, TommyLeaks, SchoolBoys Ransomware, and Akira.
Karakurt primarily targeted organizations in North America and Europe, including businesses, government entities, and healthcare organizations. Reported tradecraft includes initial access through stolen VPN credentials, followed by use of common post-compromise tooling such as Cobalt Strike, remote administration software, credential theft utilities, scripting, and archive and transfer tools to move stolen data out of victim environments. Public reporting also links the operation to aggressive victim negotiation practices, short payment deadlines, and ransom demands ranging from relatively modest sums to multimillion-dollar amounts.
The operation is notable for its emphasis on exfiltration and extortion. Operators and affiliates analyzed stolen data, identified sensitive material, and used disclosure threats to pressure victims into paying. In documented cases tied to the broader organization using the Karakurt brand, extortion escalated to especially coercive tactics involving exposure or threatened sale of highly sensitive personal and healthcare information. Karakurt has also been associated with re-extortion behavior against previously compromised victims.
Law enforcement reporting has tied individuals linked to Karakurt to a structured, hierarchical Russian cybercrime organization connected to former Conti leadership. That broader organization used multiple brands over time, obscured operations through front companies, and caused substantial financial losses across dozens of victims worldwide.
Ransomware.live
Reported operators
...Stern has transacted with addresses linked to strains like Quantum, Karakurt, Diavol, and Royal in 2022 following Conti’s demise.
Exploited software
MITRE ATT&CK
Reporting
As the Chainalysis Reactor graph below shows, Stern transacted with numerous ransomware strains, including Ryuk, Conti, Diavol, Karakurt, Royal, 3am, Quantum, and Bitpaymer.
Related: Karakurt Ransomware Negotiator Sentenced to Prison
the syndicate operated under several prominent ransomware brands, including Conti, Karakurt, Royal, TommyLeaks, SchoolBoys Ransomware, and Akira
Deniss Zolotarjovs, a Latvian national linked to the Karakurt ransomware gang, has been sentenced to 8.5 years in U.S. prison... Accenture researchers first detailed the activity of the sophisticated financially motivated threat actor in December 2021. The group’s activity was first spotted in June 2021... The Karakurt cyber extortion group typically gave victims one week to pay a ransom, which ranges from $25,000 to $13 million in Bitcoin.
The ransomware crew identified itself in ransom notes under multiple names during Zolotarjovs’ involvement, including Conti, Karakurt, Royal, TommyLeaks, SchoolBoys Ransomware, Akira and others.
Deniss Zolotarjovs, 35, was a member of a ransomware gang led by former leaders of the Conti ransomware group, and variously known as Conti, Karakurt, Royal, TommyLeaks, SchoolBoys Ransomware, and Akira, among others.
The group operated under multiple ransomware brands, including Conti, Karakurt, Royal, TommyLeaks, SchoolBoys Ransomware, and Akira, reflecting a complex and evolving cybercrime structure.
Prosecutors identified the group as Karakurt — a ransomware and data extortion operation that has faded from view in recent years but launched dozens of high-profile attacks dating back to 2020.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.