US Agencies: Karakurt extortion group demanding up to $13 million in attacks
Image: Florian Krumm
Jonathan Greig June 1, 2022

US Agencies: Karakurt extortion group demanding up to $13 million in attacks

US Agencies: Karakurt extortion group demanding up to $13 million in attacks

The Karakurt data extortion group is holding victim data for ransoms of $25,000 to $13 million in Bitcoin, according to a new alert from the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the Treasury Department.

The U.S. agencies said Karakurt victims have not reported encryption of compromised machines or files, but instead the gang’s members threaten to auction off stolen data or release it to the public unless they receive a ransom. 

Victims are typically given a week to pay, according to the CISA alert. 

“Karakurt actors have typically provided screenshots or copies of stolen file directories as proof of stolen data. Karakurt actors have contacted victims’ employees, business partners, and clients with harassing emails and phone calls to pressure the victims to cooperate,” the alert explained. 

“The emails have contained examples of stolen data, such as social security numbers, payment accounts, private company emails, and sensitive business data belonging to employees or clients. Upon payment of ransoms, Karakurt actors have provided some form of proof of deletion of files and, occasionally, a brief statement explaining how the initial intrusion occurred.”

The gang operated a leak site but several security experts and CISA said the domain went offline at some point after January. CISA said the website was relocated “elsewhere in the deep web and on the dark web.”

“As of May 2022, the website contained several terabytes of data purported to belong to victims across North America and Europe, along with several ‘press releases’ naming victims who had not paid or cooperated, and instructions for participating in victim data ‘auctions,’” CISA added. 

The agencies noted that Karakurt does not target specific industries or companies, often choosing victims based on ease of access. 

The group typically gains access to systems by either purchasing stolen login credentials or purchasing access to victims who have been compromised by other cybercriminals. 

Ivan Righi, senior cyber threat intelligence analyst at Digital Shadows, said that since the release of the Karakurt Hacking Team data-leak site, the gang has named more than 80 organizations as attempted extortion victims.

“Karakurt has primarily targeted smaller US-based companies or corporate subsidiaries, although they have also attacked organizations in Canada, the UK, and Germany,” Righi said.

Emsisoft threat analyst Brett Callow and Righi said the group has been active since the middle of 2021 and is believed to be a spin-off of the Conti ransomware group. 

Several other security companies — including Infinitum IT and Advanced Intelligence — have released reports this year showing concrete ties between the infrastructure used by Conti and Karakurt. 

Following the release of troves of documents and chats related to Conti, security companies found numerous links between the two groups. 

Advanced Intelligence said Karakurt is a side business of the group behind Conti, allowing them to monetize the data stolen during attacks where organizations are able to block the ransomware encryption process. 

Blockchain analysis firm Chainalysis has also previously identified several cryptocurrency wallets controlled by Karakurt which sent funds to Conti. 

The U.S. agencies confirmed much of what was reported by these security companies, highlighting that Karakurt has attacked victims in the midst of ransomware incidents.

In several cases seen by CISA and the FBI, victims have gotten ransom notes from multiple ransomware variants simultaneously, “suggesting Karakurt actors purchased access to a compromised system that was also sold to another ransomware actor.”

In the alert on Wednesday, the U.S. agencies said Karakurt typically uses a range of tools to exfiltrate troves of data, including in some cases “entire network-connected shared drives in volumes exceeding 1 terabyte (TB)—using open source applications and File Transfer Protocol (FTP) services, such as Filezilla, and cloud storage services including rclone and Mega.nz.”

“Following the exfiltration of data, Karakurt actors present the victim with ransom notes by way of ‘readme.txt’ files, via emails sent to victim employees over the compromised email networks, and emails sent to victim employees from external email accounts,” the agencies explained. 

“The ransom notes reveal the victim has been hacked by the ‘Karakurt Team’ and threaten public release or auction of the stolen data. The instructions include a link to a TOR URL with an access code. Visiting the URL and inputting the access code open a chat application over which victims can negotiate with Karakurt actors to have their data deleted.”

Victims have told U.S. law enforcement that they have been on the receiving end of “extensive harassment campaigns” by members of the group involving dozens of calls and emails to employees, partners, and clients. They typically threaten to leak data related to their business ties and urge them to force victims to negotiate. 

In some cases, Karakurt will send them samples of the data that range from employment contracts to personal information, health records and business information. 

If victims decide to pay a ransom, the group typically sends a video or screenshot of them allegedly deleting the stolen data or access to storage servers that allow victims to delete the files themselves. 

But the U.S. agencies urged victims not to pay because of extensive evidence that Karakurt keeps the stolen information even if ransoms are paid. Many times, the group exaggerates how much data it has actually stolen or the worth of the data it did take, the agencies explained.

Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.