New cybersecurity advisory warns of Karakurt data extortion hackers creating significant challenges for defense, mitigation

A joint cybersecurity advisory (CSA) has been issued that provides information on the Karakurt data extortion group, also known as the Karakurt Team and Karakurt Lair. The hackers have employed various tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation. The agencies also provided some recommended actions to mitigate the cyber threats.

“Karakurt victims have not reported encryption of compromised machines or files; rather, Karakurt actors have claimed to steal data and threatened to auction it off or release it to the public unless they receive payment of the demanded ransom,” the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), and the Financial Crimes Enforcement Network (FinCEN) wrote in their advisory issued Wednesday. “Known ransom demands have ranged from $25,000 to $13,000,000 in Bitcoin, with payment deadlines typically set to expire within a week of first contact with the victim,” it added.

The advisory said that Karakurt hackers do not appear to target any specific sectors, industries, or types of victims. “During reconnaissance, Karakurt actors appear to obtain access to victim devices primarily by purchasing stolen login credentials, via cooperating partners in the cybercrime community, who provide Karakurt access to already compromised victims, or through buying access to already compromised victims via third-party intrusion broker networks,” it added.

Common intrusion vulnerabilities exploited for initial access in Karakurt events include outdated SonicWall SSL VPN appliances vulnerable to multiple recent CVEs, and Log4j ‘Log4Shell’ Apache Logging Services vulnerability. Additionally, the advisory also had phishing and spearphishing, malicious macros within email attachments, and stolen virtual private network (VPN) or remote desktop protocol (RDP) credentials. It further covered outdated Fortinet FortiGate SSL VPN appliances/firewall appliances vulnerable to multiple recent CVEs, and outdated and/or unserviceable Microsoft Windows Server instances. 

The advisory said that upon developing or obtaining access to a compromised system, Karakurt hackers deploy Cobalt Strike beacons to enumerate a network, install Mimikatz to pull plain-text credentials, use AnyDesk to get a persistent remote control, and utilize additional situation-dependent tools to elevate privileges and move laterally within a network. “Karakurt actors then compress (typically with 7zip) and exfiltrate large sums of data—and, in many cases, entire network-connected shared drives in volumes exceeding 1 terabyte (TB)—using open source applications and File Transfer Protocol (FTP) services, such as Filezilla, and cloud storage services, including ‘rclone’ and ‘Mega.nz,’” it added.

Following the exfiltration of data, Karakurt hackers have been found to present the victim with ransom notes through ‘readme.txt’ files, via emails sent to victim employees over the compromised email networks, and emails sent to victim employees from external email accounts. The ransom notes reveal the victim has been hacked by the Karakurt Team and threaten public release or auction of the stolen data. The instructions include a link to a TOR URL with an access code. Visiting the URL and inputting the access code open a chat application over which victims can negotiate with Karakurt hackers to have their data deleted. 

The advisory said that Karakurt victims had reported extensive harassment campaigns by Karakurt hackers, wherein employees, business partners, and clients receive numerous emails and phone calls warning the recipients to encourage the victims to negotiate with the hackers to prevent the dissemination of victim data. These communications often included samples of stolen data—primarily personally identifiable information (PII), such as employment records, health records, and financial business records.

Moreover, victims who negotiate with Karakurt hackers receive a ‘proof of life,’ such as screenshots showing file trees of allegedly stolen data or, in some cases, actual copies of stolen files. Upon reaching an agreement on the price of the stolen data with the victims, Karakurt hackers provided a Bitcoin address, usually a new, previously unused address, to which ransom payments could be made. 

Upon receiving the ransom, Karakurt hackers provide alleged proof of deletion of the stolen files, such as a screen recording of the files being deleted, a deletion log, or credentials for a victim to log into a storage server and delete the files themselves. Although Karakurt’s primary extortion leverage is a promise to delete stolen data and keep the incident confidential, some victims reported Karakurt hackers did not maintain the confidentiality of victim information after a ransom was paid. 

The advisory said that in some cases, Karakurt hackers have conducted extortion against victims previously attacked by other ransomware variants. In such cases, Karakurt hackers likely purchased or otherwise obtained previously stolen data. Karakurt hackers have also targeted victims at the same time these victims were under attack by other ransomware hackers. Victims have also received ransom notes from multiple ransomware variants simultaneously, suggesting Karakurt hackers purchased access to a compromised system that was also sold to another ransomware hacker. 

Karakurt hackers have also exaggerated the degree to which a victim had been compromised and the value of data stolen, the advisory said. For example, in some instances, Karakurt hackers claimed to steal volumes of data far beyond the storage capacity of compromised systems or claimed to steal data that did not belong to the victim, it added.

The advisory called for immediate actions to mitigate cyber threats from the Karakurt data extortion group. These include prioritizing patching of known exploited vulnerabilities, training users to recognize and report phishing attempts, and enforcing multi-factor authentication. 

The latest advisory comes as, for over two months, operators of Conti ransomware group had been silently creating subdivisions that began operations before the start of the shutdown process, Yelisey Bogusalvskiy and Vitali Kremez, AdvIntel researchers wrote in their May report. “These subgroups either utilized existing Conti alter egos and locker malware, or took the opportunity to create new ones,” they added.

The decision was convenient for Conti, as they already had a couple of subsidiaries operating under different names: Karakurt, BlackByte, BlackBasta, the researchers said. “The rebranded version of Conti—the monster splitting into pieces still very much alive—ensured that whatever form Conti’s ex-affiliates chose to take, they would emerge into the public eye before news of Conti’s obsolescence could spread, controlling the narrative around the dissolution as well as significantly complicating any future threat attributions,” they added.

Since early Tuesday morning, Costa Rica’s national health service has been hacked sometime earlier this morning by a Russian ransomware group known as Hive. 

“The intrusion comes just weeks after Costa Rican President Rodrigo Chaves declared a state of emergency in response to a data ransom attack from a different Russian ransomware gang — Conti,” Brian Kerbs, investigative reporter, wrote in a blog post on Tuesday. “Ransomware experts say there is good reason to believe the same cybercriminals are behind both attacks, and that Hive has been helping Conti rebrand and evade international sanctions targeting extortion payouts to cybercriminals operating in Russia,” he added.

Recently, the CISA released its Risk and Vulnerability Assessments (RVAs) conducted in the Fiscal Year 2021. The analysis and infographic detailing the findings from the 112 assessments carried out across the federal civilian executive branch (FCEB), critical infrastructure, and state, local, tribal, and territorial (SLTT) stakeholders. Both the analysis and the infographic map hacker behavior to the MITRE ATT&CK framework.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.