The U.S. Government has issued an alert about a little-known data extortion group actively targeting businesses.
The alert from the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Agency, the Department of the Treasury and the Financial Crimes Enforcement Network details a group known as Karakurt Team and Karakurt Lair. Karakurt uses a variety of tactics, techniques and procedures that are said to create significant challenges for defense and mitigation.
Typically with these sorts of groups, this would be a ransomware attack with files encrypted and data stolen, but Karakurt is different. The group does not encrypt machines or files but instead only steals data and threatens to auction or release the data if a ransom payment is not made.
Known ransom payments demanded by Karakurt range from $25,000 to $13 million in bitcoin. Payment deadlines are usually set to expire within a week of the first contact with the victim. Karakurt typically provides screenshots or copies of stolen file directories as proof of data theft.
The group takes an arguably sinister twist in that those behind the hacking group have contacted the victim’s employees, business partners and clients with harassing emails and phone calls to pressure the victim to cooperate. The emails sent to third parties contain examples of stolen data such as Social Security numbers, payment accounts, private emails and sensitive business data belonging to employees or clients.
When a ransom is paid, Karakurt actors have provided some proof of deletion of files and on occasion detailed how the initial intrusion occurred. The group’s intrusion vectors to steal data ranges from purchasing stolen credentials, obtaining access to already compromised victims, or exploiting known vulnerabilities.
“Karakurt is the new face of ransomware that takes advantage of poor encryption,” Scott Bledsoe, chief executive officer at data security company Theon Technology, told SiliconANGLE. “Typically ransomware did not care about the encryption used to protect the data because it did not decrypt the original data, it just took the existing encrypted data and made it unusable to the victim.”
“The problem is companies started doing proper backups and therefore stopped paying the ransom,” Bledsoe explains. “These ransomware entities now upped the game and would decrypt the data and threaten to publicly disclose it if the company did not pay the ransom.”
Karakurt may not be acting alone with Ivan Righi, senior cyber threat intelligence analyst at digital risk protection firm Digital Shadows Ltd. noting that Karakurt likely has some ties to the far better known Conti ransomware gang.
“Conti has uploaded large volumes of stolen data to Karakurt’s web servers,” Righi said. “Many cryptocurrency wallets used by Karakurt to receive victims’ payments were sending money to Conti wallets. It is realistically possible that Conti had formed a business relationship with Karakurt, or that Karakurt was a side business of Conti.”