UPDATED 21:00 EST / JUNE 02 2022


US government issues warning over ‘Karakurt’ data extortion group

The U.S. government has issued an alert about a little-known data extortion group actively targeting businesses.

The June 1 alert from the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Agency, the Department of the Treasury and the Financial Crimes Enforcement Network details a group known as Karakurt Team and Karakurt Lair. Karakurt uses a variety of tactics, techniques and procedures that are said to create significant challenges for defense and mitigation.

Typically with these sorts of groups, this would be a ransomware attack with files encrypted and data stolen, but Karakurt is different. The group does not encrypt machines or files but instead only steals data and threatens to auction or release it if a ransom payment is not made.

Known ransom payments demanded by Karakurt range from $25,000 to $13 million in bitcoin. Payment deadlines are usually set to expire within a week of the first contact with the victim. Karakurt typically provides screenshots or copies of stolen file directories as proof of data theft.

The group takes an arguably sinister twist in that those behind the hacking group have contacted the victim’s employees, business partners and clients with harassing emails and phone calls to pressure the victim to cooperate. The emails sent to third parties contain examples of stolen data such as Social Security numbers, payment accounts, private emails and sensitive business data belonging to employees or clients.

When a ransom is paid, Karakurt actors have provided some proof of deletion of files and on occasion detailed how the initial intrusion occurred. The group’s intrusion vectors to steal data ranges from purchasing stolen credentials, obtaining access to already compromised victims, or exploiting known vulnerabilities.

“Karakurt is the new face of ransomware that takes advantage of poor encryption,” Scott Bledsoe, chief executive officer at data security company Theon Technology, told SiliconANGLE. “Typically ransomware did not care about the encryption used to protect the data because it did not decrypt the original data, it just took the existing encrypted data and made it unusable to the victim.”

The problem, he explained, is that companies started doing proper backups and therefore stopped paying the ransom. “These ransomware entities now upped the game and would decrypt the data and threaten to publicly disclose it if the company did not pay the ransom,” he said.

Karakurt may not be acting alone. Ivan Righi, senior cyber threat intelligence analyst at digital risk protection firm Digital Shadows Ltd., noted that Karakurt likely has some ties to the far better-known Conti ransomware gang.

“Conti has uploaded large volumes of stolen data to Karakurt’s web servers,” Righi said. “Many cryptocurrency wallets used by Karakurt to receive victims’ payments were sending money to Conti wallets. It is realistically possible that Conti had formed a business relationship with Karakurt, or that Karakurt was a side business of Conti.”

Image: Needpix

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy