Federal authorities are warning enterprises about a relatively new data extortion group called Karakurt that is targeting organizations for data theft and then holding the data for ransom and demanding large Bitcoin payments in exchange for not publishing the stolen information.
The group does not deploy ransomware on compromised networks, but instead exfiltrates valuable corporate, employee, and customer information and then threatens to publish it if the ransom demands aren’t met. That extortion tactic is quite similar to what some ransomware groups do as an added way to pressure their victims to pay. But Karakurt relies solely on the extortion piece and have demanded as much $13 million from victims, according to a new advisory from the FBI, the Cybersecurity and Infrastructure Security Agency and other federal agencies.
“Karakurt actors have typically provided screenshots or copies of stolen file directories as proof of stolen data. Karakurt actors have contacted victims’ employees, business partners, and clients with harassing emails and phone calls to pressure the victims to cooperate. The emails have contained examples of stolen data, such as social security numbers, payment accounts, private company emails, and sensitive business data belonging to employees or clients,” the advisory says.
“Upon payment of ransoms, Karakurt actors have provided some form of proof of deletion of files and, occasionally, a brief statement explaining how the initial intrusion occurred.”
Like many ransomware groups and some traditional cybercrime groups, Karakurt uses initial access brokers in some of its operations, buying access to compromised systems or networks from actors who have performed the initial intrusion. This model has become increasingly popular in the last few years as it allows actors with the specialized skills and tools needed to break into networks to monetize those abilities while enabling other actors to focus on the post-exploitation activity, ransomware deployment, and data exfiltration. Both sides make money while focusing on what they’re best at.
The Karakurt group, which emerged in the last few months, uses initial access brokers, stolen credentials, and other methods to gain access to target networks. The group does not seem to focus on any specific industries or sectors, but instead hits targets of opportunity. After the actors are inside a network, they typically deploy Cobalt Strike beacons and then use Mimikatz to harvest credentials and AnyDesk to maintain persistence.
“Upon receiving the ransom, Karakurt actors provide some form of alleged proof of deletion of the stolen files."
“Following the exfiltration of data, Karakurt actors present the victim with ransom notes by way of ‘readme.txt’ files, via emails sent to victim employees over the compromised email networks, and emails sent to victim employees from external email accounts. The ransom notes reveal the victim has been hacked by the ‘Karakurt Team’ and threaten public release or auction of the stolen data,” the advisory says.
“The instructions include a link to a TOR URL with an access code. Visiting the URL and inputting the access code open a chat application over which victims can negotiate with Karakurt actors to have their data deleted.”
Part of the Karakurt group’s playbook involves calling and emailing partners, customers, and employees of victim organizations to have them encourage the victims to pay or negotiate. This is common with some ransomware groups, as well.
“Victims who negotiate with Karakurt actors receive a “proof of life,” such as screenshots showing file trees of allegedly stolen data or, in some cases, actual copies of stolen files. Upon reaching an agreement on the price of the stolen data with the victims, Karakurt actors provided a Bitcoin address—usually a new, previously unused address—to which ransom payments could be made,” the advisory says.
“Upon receiving the ransom, Karakurt actors provide some form of alleged proof of deletion of the stolen files, such as a screen recording of the files being deleted, a deletion log, or credentials for a victim to log into a storage server and delete the files themselves.”
Like ransomware groups, Karakurt doesn’t always keep its word about deleting stolen data when victims do pay, and the group also has targeted organizations that are already under attack by a ransomware group, multiplying the victim’s woes.