Federal authorities have warned organizations about a lesser-known extortion gang, Karakurt, which is demanding ransoms of up to $13 million and, according to some cybersecurity specialists, may be linked to the notorious Conti crew.
In a joint opinion [PDF] this week, the FBI, CISA, and US Treasury Department released technical details on how Karakurt works, along with action steps, indicators of compromise, and sample ransom notes. Here is an exerpt :
Recommended actions to take to defend against the crew are: patch known vulnerabilities first, train users to spot and report phishing attempts, and require multi-factor authentication to thwart the use of passwords (say ) stolen or guessed.
Karakurt does not target any specific sector or industry, and the gang’s victims did not have any of their documents encrypted and held for ransom.
Instead, the crooks claim to have stolen data, with screenshots or copies of exfiltrated files as proof, and they threaten to sell or release it publicly if they don’t receive payment. US agencies say these demands range from $25,000 to $13 million in Bitcoin, and Karakurt typically sets a deadline of one week to pay.
The group previously operated a leak and auction website to expose and sell victims’ data, but that domain and IP address were taken offline earlier this spring. However, a dark website containing several terabytes of alleged victim data, along with press releases naming organizations that had not paid and instructions to purchase victim data resurfaced in May.
In addition to demanding payment, Karakurt, named after a type of black widow spider, likes to intimidate its victims by harassing their employees, business partners and customers with pressured emails and phone calls. on the company to pay the ransom.
Criminals typically break into networks either by buying stolen login credentials; the use of third-party initial access brokers, who sell access to compromised systems; or by abusing security flaws in the infrastructure.
Some of the vulnerabilities that crooks exploit for initial access, according to the FBI and friends, include Log4Shell, several bugs in outdated SonicWall and Fortinet Fortigate VPN appliances, outdated instances of Microsoft Windows Server, and then common email tricks such as phishing and malware. attachments.
Once they gain access to a system, Karakurt then deploys tools such as Cobalt Strike, Mimikatz, and AnyDesk to establish backdoors, extract credentials, elevate privileges, and move laterally within networks.
Federal authorities have also noted that Karakurt sometimes extorts victims of previous ransomware infections or even targets organizations already attacked by another criminal group. “In such cases, the Karakurt actors likely purchased or otherwise obtained previously stolen data,” the agencies speculate about the former.
And regarding the multi-gang sub-attack scenario: the US government suggested that “Karakurt actors bought access to a compromised system that was also sold to another ransomware actor.”
Related to Conti?
However, some private sector security researchers have a different theory. In research published in April, they reported a “high degree of confidence that extortion group Karakurt is operationally linked” to Conti.
This analysis was conducted by three companies: Tetra Defense, an incident response team that SecOps provider Arctic Wolf acquired in February; blockchain company Chainalysis; and threatens intelligence firm Northwave, another IR firm called in to work with clients affected by Karakurt’s scammers.
Both IR teams noted that the extortion gang was using the exact same Cobalt Strike backdoor that Conti had used to break into victims’ networks. “Such access can only be gained through some sort of surreptitious purchase, relationship, or access to Conti Group infrastructure,” the threat researchers explained.
Other indicators include a commonality of initial intrusion for Karakurt and Conti attacks (Fortinet SSL VPN), and overlapping tools used for exfiltration: “a unique adversary choice to create and leave behind a list of exfiltrated data files named file-tree.txt in the victim’s environment as well as repeated use of the same attacker’s hostname when remotely accessing victims’ networks.”
Security teams then brought in Chainalysis, which helped analyze cryptocurrency transactions made by Conti and Karakurt and, indeed, found a financial connection between the two. ®