Latvian Conti/Karakurt Ransomware Negotiator Deniss Zolotarjovs Sentenced to 102 Months in Prison

Deniss Zolotarjovs, 35, a Latvian national living in Moscow, was sentenced to 102 months (8.5 years) in federal prison for his role in a major ransomware and extortion organisation led by former Conti ransomware leaders. The sentence, handed down by a U.S. federal court in May 2026, caps a prosecution that spanned extradition from Georgia and documented attacks against more than 54 companies — resulting in over $56 million in losses including $2.8 million in ransomware payments — across multiple branded ransomware operations including Conti, Karakurt, Royal, Akira, TommyLeaks, and SchoolBoys.

// 01 Background: Who Is Deniss Zolotarjovs

Zolotarjovs was not a technical operator or malware developer. His role within the ransomware organisation was that of an extortion negotiator and pressure escalator — the individual responsible for convincing victims who resisted initial ransom demands to pay, through escalating intimidation, public data leaks, and targeted harassment.

His active participation in the organisation spanned approximately June 2021 to August 2023, a period that corresponds to the post-Conti restructuring phase when former Conti leadership reorganised into a loose constellation of branded ransomware operations. The Conti ransomware group itself publicly disbanded in May 2022 following a high-profile data leak that exposed its internal communications and source code. Former Conti leadership subsequently launched or merged into Karakurt (a data-exfiltration extortion group), Royal, Akira, TommyLeaks, and SchoolBoys — all of which are represented in the brands Zolotarjovs participated in.

// 02 The 54-Company Spree: Key Details

During Zolotarjovs's involvement, the organisation attacked over 54 companies across the United States and internationally. The Department of Justice press release highlights the scope: attacks on just 13 of those 54 companies produced $56 million in losses, including $2.8 million in direct ransom payments.

The most disturbing documented case involved an attack on a pediatric healthcare company. When the organization failed to secure a ransom payment, Zolotarjovs deliberately leveraged children's health records — personal and medical data belonging to minor patients — as pressure instruments. He urged co-conspirators to leak or sell copies of the pediatric health records to "sow fear among future victims." The tactic represents a documented escalation into using particularly sensitive data types involving minors to maximise psychological pressure on victim organisations.

// 03 Arrest and Extradition

Zolotarjovs was arrested in Georgia (the country, not the U.S. state) and subsequently extradited to the United States, where he faced federal charges. He pleaded guilty and was sentenced to 102 months in federal prison. The prosecution represents a successful example of international law enforcement cooperation that has become increasingly important in pursuing ransomware actors operating from countries with historically limited extradition cooperation with the U.S.

// 04 The Conti/Karakurt Ransomware Ecosystem

Understanding the conviction requires understanding the post-Conti organisational structure. The Conti ransomware group (active 2020–2022) was one of the most prolific ransomware operations in history, earning hundreds of millions of dollars in ransom from healthcare providers, government agencies, and major corporations. After Conti's internal communications were leaked in February 2022 and the group publicly disbanded in May 2022, its leadership dispersed into multiple successor operations:

• Karakurt (data-theft extortion without encryption, targeting organisations for ransom based solely on exfiltrated data)
• Royal (a selective, human-operated ransomware targeting high-value organisations)
• Akira (a fast-growing ransomware-as-a-service operation that has attacked over 300 organisations since 2023)
• TommyLeaks / SchoolBoys (extortion-focused operations with limited public profile)

This ecosystem model — multiple branded fronts sharing personnel, infrastructure, and victim data — allows former Conti operators to continue earning while complicating law enforcement attribution. Zolotarjovs's prosecution demonstrates that the U.S. Department of Justice continues building cases against individual actors within these dispersed networks, even when central command-and-control structures have dissolved.

// 05 Significance for Law Enforcement and Deterrence

The 102-month sentence is one of the more substantial ransomware-related prison terms issued by U.S. courts, though it sits below the 20-year maximums that accompany the most severe federal cybercrime charges. The Zolotarjovs prosecution matters for several reasons:

Extradition from non-traditional partners: Georgia is not a country with deep historical law enforcement cooperation with the United States on cybercrime. Successful extradition from Georgia signals continued willingness and capability by U.S. authorities to pursue ransomware actors in jurisdictions where they believed themselves safe.

Non-technical roles are prosecutable: Zolotarjovs was not a coder or network attacker. His prosecution establishes clearly that extortion negotiators, pressure operatives, and others who play supporting roles in ransomware operations face meaningful criminal exposure under U.S. federal law.

Healthcare targeting carries higher risk: The pediatric health records case underscores an enforcement priority: attacks against healthcare organisations, and especially the deliberate weaponisation of patient data — particularly minors' data — are treated with particular seriousness by U.S. prosecutors.

// 06 What Security Teams Should Take From This

• Karakurt and Akira remain active threats. The sentencing of one member does not dismantle these organisations. Akira in particular has been one of the most active ransomware operations of 2025–2026.
• Healthcare organisations should prioritise ransomware resilience. The deliberate targeting of pediatric health records as pressure instruments is not an isolated tactic — it reflects a calculated strategy to maximise leverage against victim organisations by targeting their most sensitive data.
• Review DOJ ransomware IOCs for Karakurt and Akira, published via CISA advisories, and apply them to your threat detection tooling.
• Incident response planning should explicitly address the scenario where ransomware actors threaten to leak sensitive data, particularly patient records, financial data, or data involving minors — and prepare communications and legal response strategies in advance.

// 07 Conclusion

Deniss Zolotarjovs has been sentenced to 102 months in federal prison for his role as an extortion escalator in the post-Conti ransomware ecosystem, which targeted more than 54 companies and generated $56 million in losses. His prosecution reinforces that U.S. law enforcement will pursue ransomware participants in supporting roles, across international borders, and with particular determination when attacks involve healthcare data and minors.