Cybercrime headlines today include the sentencing of a Latvian national involved with Karakurt and other ransomware gangs, who was sentenced to 102 months in prison. Reading the court filings on the case, the FBI's affidavit rang a bell at one point.

In October 2023, I was contacted by someone claiming to be a cybersecurity researcher who had found one of Karakurt and Akira's storage servers. They told me that they were contacting the gangs' victims and trying to get paid for finding the data and research. It didn't sound "whitehat" to me, and when "anonymoux" said he tried to get a reward from Rewards for Justice but had gotten no reply and wanted to get in touch with the FBI, I agreed to help them make contact with the FBI. While many TAs avoid law enforcement, DataBreaches has known several who want to be in touch with the FBI. While some want to try to make deals because they think they are about to be arrested, others just think they will outsmart the FBI. "Anonymoux" seemed to be in that latter group.

I later wrote about my interactions with "anonymoux" in January 2024: https://databreaches.net/2024/01/10/follow-on-extortion-campaign-confirmation-of-some-findings-by-arctic-wolf/

Now that court filings for Deniss Zolotarjovs (Денисс Золотарёвс), aka "Sforza_cesarini," have been unsealed, you can read the FBI agent's affidavit in support of the complaint and arrest, in which he describes how he and Zolotarjovs chatted, and how he eventually concluded that "anonymoux" was Zolotarjovs:

https://storage.courtlistener.com/recap/gov.uscourts.ohsd.295291/gov.uscourts.ohsd.295291.6.0.pdf

#databreach #ransomware #karakurt #akira #tommyleaks #schoolboys #blockbit #

NEW:

Yesterday, the USAO in Maryland issued a press release stating that Matthew Bathula, a clinical pharmacy specialist, had been charged with unauthorized access and ID theft involving patients at "Company A" -- a medical system in Maryland. 195 patients have been notified.

If you read the DOJ presser, it alleges a lot of activities that go waaaay beyond the usual insider "snooping."

A little digging revealed that "Company A" is the University of Maryland Medical Center, where Bathula was employed during the years of alleged wrongdoing.

Read the presser and more at:

https://databreaches.net/2026/05/02/maryland-pharmacist-indicted-on-unauthorized-computer-access-related-to-u-maryland-medical-center/

#databreach #IDtheft #HIPAA #infosec #insider #healthsec

The NYS Department of Financial Services announced that they settled charges against Delta Dental Insurance Co. and Delta Dental of New York stemming from the 2023 Clop/MOVEit data breach.

The state's investigation found that Delta had violated NYS cybersecurity regs in a number of ways.

Delta has agreed to pay $2.25 million, none of which can be paid by their insurers and they can accept any reimbursement for the payment from any source.

I wonder how many other MOVEit customers who do business in New York are also dealing with NYSDFS.

https://databreaches.net/2026/05/01/nysdfs-secures-2-25-million-cybersecurity-settlement-with-delta-dental/

#databreach #hackandleak #supplychain #0day #DeltaDental #MOVEit #Clop #NYSDFS

@campuscodi @zackwhittaker

This won't be the end of this controversy, but a California court did not dismiss claims against Bain Capital over the PowerSchool data breach. In considering the timeline and the private equity firm's actions before and after its acquisition of PowerSchool in 2024, the court noted, in part:

"Post-closing, Bain directed PowerSchool to offshore cybersecurity, engineering, and IT functions to contractors, including offshoring required data-management tools that enabled vendors to bypass consent protocols and access protected school district computers directly.

Bain failed to assess data-breach risks from the offshoring it directed.

Post-closing, Bain directed layoffs of at least 5% of PowerSchool’s workforce, including critical domestic IT staff."

Read more from Womble Bond Dickinson at https://www.womblebonddickinson.com/us/insights/alerts/unprecedented-private-equity-firm-potentially-hook-portfolio-companys-data-breach

h/t, JDSupra, The National Law Review

@douglevin @funnymonkey

#EdTech #Liability #negligence #PowerSchool #BainCapital #hackandleak

I pause today to remember Ayrton Senna, the #GOAT in #F1, who died on this day in 1994 in a horrific accident at Imola.

Ayrton Senna, 1960 - 1994

Another #EdTech vendor has allegedly fallen prey to #ShinyHunters in yet another Salesforce-related hack-and-leak incident.

Follett Software markets Aspen, Destiny, and Classroom Library Manager software to schools.

The threat actors claim to have acquired 4 million records with PII and other corporate files, and have given Follett until May 4 to contact them.

Because this is Salesforce related, there may actually be very little identifiable information about students or personnel in the customer support data, unless district or school personnel gave students' names or details in seeking help with the software or specific problems.

I guess we'll find out soon.

#EduSec #databreach #hackandleak

@douglevin @funnymonkey @mkeierleber

Today, two cybersecurity professionals who made a deal with AlphV/BlackCat to use their #ransomware to attack multiple victims in the U.S. were sentenced to four years in prison. A third co-conspirator has yet to be sentenced.

Two of the three worked for DigitalMint; the third worked for Sygnia. Neither firm had any knowledge of its employees' illegal activities and cooperated fully with law enforcement.

One of the victims was a doctor's office that the defendants had encrypted. Then, when the doctor wouldn't pay, they leaked patient data and wouldn't provide a decryptor.

Both of the defendants sentenced today had pleaded guilty to one count of conspiracy to obstruct, delay, or affect commerce or the movement of any article or commodity in commerce by extortion in violation of 18 U.S.C. § 1951(a).

They faced maximum sentences of 20 years, but were sentenced to four years.

Goldilocks and the 3 Verdicts Poll:

Does their sentence seem

RE: https://infosec.exchange/@DysruptionHub/116490250396303041

"County IT Director Devonte Demby told supervisors the attacker appeared to enter through a sanitation department computer running Windows 7, which he described as obsolete and vulnerable. Demby said the county did not have cybersecurity insurance."

ohhhhh..........