U.S. Warns of Karakurt Data Extortion Group
The group reportedly obtains access to organizations either through stolen login credentials or already compromised victims.
The U.S. government is warning of yet another group that over the past few months has been stealing corporate data and threatening to auction it off unless their ransom is met.
In a joint cybersecurity advisory issued this week by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), and the Financial Crimes Enforcement Network (FinCEN), the groups warned of Karakurt, an extortion group that’s been asking anywhere between $25,000 to $13 million in Bitcoin in ransom for stolen data.
Unlike some ransomware groups, which will encrypt data, making it inaccessible for users, then exfiltrate it before asking for a ransom payment, the Karakurt threat actors obtain data through victims who have already been compromised - perhaps via a third party intrusion broker - and stolen login credentials.
According to the advisory, at the beginning of the year the group operated a leak and auction website but that's since shuttered. As of last month, the group had a website, reachable on the dark web, that contained terabytes of data that belonged to victims in North America and Europe, along with notes naming and shaming them for not paying the group.
The group, whose name means “black wolf” in Turkish and is also the name of a venomous spider from Europe, isn’t exactly new, it first surfaced last summer, but that doesn't change the fact it's still causing problems for organizations.
Researchers with Accenture's Cyber Investigations, Forensics and Response (CIFR) team published its findings about the group in December, claiming it reportedly had data from 40 victims between September and November last year.
According to the cybersecurity alert, once inside a system, Karakurt compresses and exfiltrates data via FTP services and cloud storage services, then send the victim a readme.txt file to let them know their data has been stolen. Like other ransomware groups of late, like Doppelpaymer, Maze, and Conti, Karakurt members have engaged victims in what sounds like a nasty harassment campaign, caling employees, business partners, and clients to encourage the victim to negotiate with the group.
"These communications often included samples of stolen data—primarily personally identifiable information (PII), such as employment records, health records, and financial business records," the advisory reads.
It’s often said there’s no honor among thieves and that certainly sounds like that’s the case here. If it wasn’t already bad enough for those impacted by Karakurt, according to the joint advisory, the group has targeted victims that were either previously attacked or under attack from ransomware groups, suggesting the groups either shared intel or more likely, Karakurt purchased access to a compromised system that was also sold to a ransomware group.
While Karakurt could be viewed as a much lesser threat than ransomware groups like Hive, which the Department of Health and Human Services warned about in April, it’s possible that authorities view the group as a looming side threat.
Earlier this year, researchers suggested that Karakurt has a connection to the Conti ransomware group, hinting that the two may have similar motives and could be pooling their resources. If that’s the case, it makes sense that feds are looking to stay ahead of both groups.
To help familiarize defenders with Karakurt if they’re not already, in the document, CISA and FBI provide indicators of compromise, tools used by the group, sample ransom notes, and MITRE ATT&CK techniques.