The U.S. Department of Justice has confirmed that the Karakurt ransomware gang maintained operational access to Russian government databases and law enforcement connections, using that privileged access to intimidate victims into paying ransoms. The disclosure came alongside the sentencing of Latvian national Deniss Zolotarjovs to more than eight years in U.S. federal prison. Karakurt extorted at least $15 million from more than 54 corporate victims.

What Happened

A U.S. federal court sentenced Zolotarjovs after his guilty plea for participating in Karakurt ransomware operations. He was arrested in Georgia in 2023 and extradited to the United States in August 2024. According to DOJ filings, Karakurt was led by former senior figures from the Akira and Conti ransomware operations, both previously sanctioned by the U.S. Treasury for ties to Russian intelligence services. Zolotarjovs personally handled the role of "escalating pressure" against victims who refused initial ransom demands. Prosecutors detailed how the gang leveraged contacts inside the Russian state to look up victim information, threaten targets, and operate with effective immunity inside Russia.

What Was Taken

Karakurt's victim list spans more than 54 companies, with confirmed ransom payments totaling at least $15 million. Documented impacts include the disruption of 911 emergency dispatch systems at U.S. government entities and the theft of children's health information from victim organizations. The DOJ disclosure also references gang access to records held in Russian government databases, which were used as leverage rather than monetized externally. Sensitive corporate data, personally identifiable information, and protected health information were exfiltrated across the campaign window.

Why It Matters

This case is one of the most explicit U.S. government statements to date tying a ransomware crew to operational use of a foreign government's internal systems. The DOJ alleges Karakurt "fueled corruption" inside the Russian state: leaders avoided taxation, bribed officials for exemptions from compulsory military service, and tapped police and database resources to pressure victims. For defenders, this confirms that some ransomware operators are not opportunistic criminals but quasi-state actors with intelligence support, expanded reconnaissance capabilities, and effective sanctuary from extradition. Russia's role as a "safe haven" for cybercrime, repeatedly flagged by U.S. officials, is reinforced by court-admitted evidence rather than analyst speculation.

The Attack Technique

Karakurt operated primarily as a data-theft and extortion crew, often without deploying file-encrypting malware. The group typically gained initial access through purchased credentials, phishing, and exploitation of internet-facing services, then escalated to bulk exfiltration of corporate data. The differentiator highlighted by the DOJ is the post-intrusion pressure phase: Zolotarjovs and others used Russian law enforcement contacts and government database lookups to enrich victim profiles, identify executives, and threaten targets with consequences that appeared to extend beyond the digital domain. Karakurt operations have since gone dormant, consistent with the broader pattern of Russian-nexus crews rebranding to evade sanctions and law enforcement attention.

What Organizations Should Do

Sources: DOJ says ransomware gang tapped into Russian government databases | TechCrunch