Ransomware headlines often focus on malware, zero-days, and initial access brokers. But a major part of the ransomware economy runs on a different role: the people who turn stolen data into leverage and convert fear into payments.
A Latvian national, Deniss Zolotarjovs (35), has been sentenced to 102 months (8.5 years) in U.S. federal court for his role as a negotiator tied to an extortion operation associated with names including Karakurt, TommyLeaks, and SchoolBoys Ransomware. Authorities link the campaign to more than $56 million in losses and over 50 victim organizations.
This case matters for CISOs and SOC leaders because it highlights a reality many incident response plans underweight: the negotiation layer is part of the attack chain. It’s where data is weaponized, pressure is calibrated, and victims are pushed toward business-impact decisions under time constraints.
What Happened: Timeline and Outcome
Key milestones reported by U.S. authorities:
- Arrested: December 2023 (overseas)
- Transferred to U.S. custody: August 2024
- Pled guilty: July 2025 to conspiracy involving money laundering and wire fraud
- Sentenced: 102 months (8.5 years) in May 2026
Prosecutors said his involvement in the conspiracy spanned roughly June 2021 through March 2023 in the court narrative summarized publicly, and the group’s activities included theft and extortion across dozens of organizations.
Why This Case Is Different: The “Negotiator” Role
Zolotarjovs was not described as the person who wrote the malware or executed the intrusions. Instead, authorities describe him as a specialist in coercion and monetization:
- He analyzed stolen data to identify pressure points for extortion.
- He participated in negotiations and helped shape threat strategy with co-conspirators.
- He received a percentage cut of ransom proceeds (reported as 10% in coverage), paid in cryptocurrency, then moved through multiple wallets before conversion.
Key takeaway: Many ransomware groups operate like businesses. The negotiator is the “revenue function,” translating technical intrusion into measurable cash outcomes.
The Human Impact: Children’s Health Records and Public Safety
What makes this case especially disturbing is the allegation that stolen children’s health information was used to increase leverage during extortion.
Authorities also cite the disruption of a 911 emergency system connected to the broader activity tied to the group’s attacks, underscoring that ransomware is not only a financial crime—it can become a public safety incident.
A Justice Department statement characterized the conduct as ruthless and emphasized continued pursuit of international cyber extortionists.
How Ransomware Extortion Works (Beyond Encryption)
This case reinforces a common modern pattern: many operations are not “pure ransomware” anymore. They are data theft + extortion, sometimes with or without encryption.
A typical extortion workflow looks like this:
- Intrusion and data theft (PII, PHI, contracts, HR docs, credentials)
- Pressure design (identify the most damaging data; define deadlines and threats)
- Negotiation (demand, counteroffers, staged releases, threats of publication)
- Payment rails (crypto wallets, mixing/hopping, cash-out in local currency)
Key takeaway: Even if you restore from backups, data-theft extortion can continue. That’s why negotiations and communications become part of incident containment.
What CISOs and SOC Leaders Should Learn
1) Negotiation is an attack surface
Attackers gather intel about your org during negotiations—structure, urgency, priorities, legal posture, and internal friction. Treat negotiation channels like a controlled interface.
Practical steps:
- Use a single controlled comms path
- Maintain strict message discipline (no unnecessary disclosure)
- Document every interaction for legal and investigative continuity
2) Data sensitivity changes attacker leverage
The case illustrates how sensitive datasets (especially healthcare and children’s data) can be weaponized for psychological pressure.
Practical steps:
- Classify crown jewels (PHI/PII/IP) and harden access
- Reduce data sprawl (retention limits, least privilege, segmentation)
- Monitor for exfiltration patterns (large outbound, unusual cloud uploads)
3) Your incident plan must include “extortion operations”
Many organizations have IR playbooks focused on containment and restoration, but insufficient emphasis on:
- extortion communications strategy
- legal/regulatory notification triggers
- stakeholder messaging (customers, patients, partners)
4) Crypto tracking matters operationally
The laundering details in this case reinforce why crypto tracing and wallet intelligence can help:
- support law enforcement engagement
- identify overlaps across campaigns
- locate cash-out patterns for disruption
Common Misconceptions (That Increase Damage)
- “If we don’t pay, we’re safe.”
Not always. Data may still be leaked or sold, and secondary extortion can continue. - “Negotiation is just a business decision.”
It’s also a security function—negotiation leaks intelligence, influences attacker behavior, and impacts dwell time. - “This only affects IT.”
These incidents are cross-functional: legal, privacy, comms, finance, and executive leadership must be engaged immediately—especially when healthcare or children’s data is involved.
FAQs
Who was sentenced and for how long?
Deniss Zolotarjovs, a Latvian national, was sentenced to 102 months (8.5 years) in U.S. federal court.
What ransomware group was he associated with?
The case references an extortion operation using names including Karakurt, TommyLeaks, and SchoolBoys Ransomware.
What was his role if he didn’t hack systems?
Authorities describe him as a negotiator who analyzed stolen data and helped plan and conduct extortion negotiations and pressure tactics. [
What was the impact of the scheme?
Public statements cite $56 million in losses and at least 53 victims tied to the activity described.
Why is the children’s health data detail important?
It shows how attackers use highly sensitive data to intensify coercion and increase payment probability—especially in healthcare incidents.
Conclusion
This sentencing is a clear message: ransomware operations are not only about malware developers and initial access brokers. The ecosystem includes negotiators who optimize intimidation, maximize ransom yield, and weaponize stolen data—including extremely sensitive information like children’s health records.
For defenders, the practical takeaway is simple:
Build ransomware defense and response around the full lifecycle—prevention, detection, containment, restoration, and extortion operations. The faster you reduce data exposure and control negotiation pathways, the less leverage attackers have.
