close up of a laptop keyboard with a breached warning in bright red above the keys

A new joint Cybersecurity Advisory (CSA) has been issued by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury) and the Financial Crimes Enforcement Network (FinCEN) to raise awareness and provide information about the Karakurt Data Extortion Group.

Who is the Karakurt Data Extortion Group?

The Karakurt Data Extortion Group, also known as Karakurt Team and Karakurt Lair, is a threat actor threatening companies to publicly disclose internal stolen data unless they receive payment of a ransom, which ranges from $25,000 USD to $13,000,000 USD in Bitcoin (BTC), within a week.

According to AdvIntel, the Karakurt Team is a subgroup of CONTI threat actor, shown in Figure A.

SEE: The Dark Web: A guide for business professionals (free PDF) (TechRepublic)

That subgroup, according to AdvIntel’s researchers, has been created to monetize victims’ compromises when it could not be ransomed via the use of ransomware. It seems it happens quite frequently that the ransomwares used by CONTI cannot run or fail at encrypting data due to technical or privileges issues, which leads to zero revenue for them. In that case, the Karakurt team can work on monetizing the data theft instead of the data encryption.

Figure A

Karakurt CONTI Division ties illustrated as a spider
Image: AdvIntel. CONTI and Karakurt Team ties.

Modus operandi

The Karakurt team employs different tactics, techniques and procedures (TTPs) against targets that seem randomly selected.

The initial compromise allowing the threat actor to get access to the target generally involves obtaining valid login credentials, which might be purchased, exchanged via cooperating partners in crime or through buying access to already compromised victims. This is done via third-party initial access brokers (IAB).

The threat actor also has the capability to exploit common vulnerabilities for initial access. A few examples are the infamous Log4Shell vulnerability, vulnerable outdated VPN appliances or malicious Microsoft Office macros.

Once Karakurt Team has obtained valid access, they deploy Cobalt Strike beacons to enumerate the network, before installing and using mimikatz to collect more credentials. They also use AnyDesk software to obtain persistent remote control and more tools to elevate their privileges in the system and move laterally on the network.

The next move from Karakurt Team is to exfiltrate large amounts of data. In many cases, entire network-connected shared drives are compressed with 7zip before being exfiltrated using open-source applications and FTP (File Transfer Protocol) services. The volumes can exceed 1TB of data.

Ransom notes are then sent by email to employees over the compromised email networks and emails sent from external email accounts. The note contains an attribution to Karakurt Team and a link to a TOR URL with an access code.

Clicking on that link and using the access code leads to a chat application used to negotiate with a Karakurt threat actor.

The advisory mentions that “Karakurt victims have reported extensive harassment campaigns by Karakurt actors in which employees, business partners, and clients receive numerous emails and phone calls warning the recipients to encourage the victims to negotiate with the actors to prevent the dissemination of victim data. These communications often included samples of stolen data—primarily personally identifiable information (PII), such as employment records, health records, and financial business records.”

More screenshots showing file trees of stolen data can be shown by the threat actor. Upon agreement on the price for the data deletion, the victim is presented a new, previously unused Bitcoin address to which the payment can be done.

If the payment is done, Karakurt Team provides evidence of data deletion: screen recordings of files being deleted, deletion log file, or credentials to access a storage server, so the victim can delete the data themselves.

In some cases, Karakurt Team has attacked companies which were previously hit by ransomware or attacked at the same time by ransomware threat actors. This suggests that Karakurt Team sometimes buys initial access that is sold to other ransom threat actors at the same time.

Finally, Karakurt Team sometimes exaggerates the degree of compromise to the victim, claiming volume theft bigger than the storage capacity or data theft that does not belong to the victim.

How to protect from this threat?

For starters, sensitive data within companies need to be stored securely, on segmented or physically separated storage. And multiple safe copies should be made. Data should also be regularly backed up, the backups being at least password protected and stored offline.

SEE: How to become a cybersecurity pro: A cheat sheet (TechRepublic)

All operating systems and software need to be constantly up to date to avoid being compromised by a common vulnerability. And security software needs to be deployed on all endpoints and servers.

In addition, administrative privileges should only be provided to employees needing it for their activities, and access controls need to be set in the company using least privilege access principles. Moreover, multi-factor authentication (MFA) needs to be set for every employees’ access. Domain controllers, servers and workstations, and active directory should also be reviewed regularly for new or unrecognized accounts.

Finally, trainings and awareness on cybersecurity needs to be provided to employees, especially regarding phishing and spear phishing.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday