Pierluigi Paganini
August 23, 2024
Deniss Zolotarjovs (33), a Russian cybercriminal, has been charged in a U.S. court for his role in the Russian Karakurt cybercrime gang. The man has been charged with money laundering, wire fraud, and extortion. The man was arrested in Georgia in December 2023 and recently extradited to the U.S..
“According to court documents, Zolotarjovs is a member of a known cybercriminal organization that attacks computer systems of victims around the world.” reads the press release published by DoJ. “Among other things, the Russian cybercrime group steals victim data and threatens to release it unless the victim pays ransom in cryptocurrency. The group maintains a leaks and auction website that lists victim companies and offers stolen data for download.”
Zolotarjovs was an active member of the Karakurt cybercrime gang, he was involved in communication with other members, and claundering cryptocurrency received from victims, and extorting victims.
Accenture researchers first detailed the activity of the sophisticated financially motivated threat actor in December 2021. The group’s activity was first spotted in June 2021, but the group has been more active in Q3 2021.
Zolotarjovs is the first member of the Karakurt group that has been arrested and extradited to the United States.
Most of the known victims (95%) are based in North America, while the remaining 5% are in Europe.
The analysis of the attack chain associated with this threat actor revealed that it primarily leverages VPN credentials to gain initial access to the target’s network.
In the initial attacks, the group gained persistence by using the popular post-exploitation tool Cobalt Strike. In recent attacks, the group switched on VPN IP pool or AnyDesk software to establish persistence and avoid detection.
Once gained access to the target network, the group uses various tools to escalate privileges, including Mimikatz or PowerShell to steal ntds.dit that contains Active Directory data.
However, the threat group in most attacks escalated privileges using previously obtained credentials.
For data exfiltration the group has been seen utilizing 7zip and WinZip for compression, as well as Rclone or FileZilla (SFTP) to upload data to Mega.io cloud storage.
The Karakurt cyber extortion group typically gives victims one week to pay a ransom, which ranges from $25,000 to $13 million in Bitcoin. This information comes from a joint alert issued by the FBI, CISA, the Department of the Treasury, and FinCEN.
Typically, the Karakurt hackers give their victims one week to make the payment, with ransom demands ranging between $25,000 and $13 million in Bitcoin, reads the joint alert published by US agencies in December 2023.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, cybercrime)
Cyber Crime / September 12, 2024
Malware / September 11, 2024
