Skip links

FBI, CISA: Don’t get caught in Karakurt’s extortion web

The Feds have warned organizations about a lesser-known extortion gang Karakurt, which demands ransoms as high as $13 million and, some cybersecurity folks say, may be linked to the notorious Conti crew.

In a joint advisory [PDF] this week, the FBI, CISA and US Treasury Department outlined technical details about how Karakurt operates, along with actions to take, indicators of compromise, and sample ransom notes. Here’s a snippet:

The recommend steps to take to defend against the crew are: patch known vulnerabilities as a priority, train users to spot and report phishing attempts, and require multi-factor authentication to thwart the use of (say) stolen or guessed passwords.

Karakurt doesn’t target any specific sectors or industries, and the gang’s victims haven’t had any of their documents encrypted and held to ransom.

Instead, the crooks claim to have stolen data, with screenshots or copies of exfiltrated files as proof, and they threaten to sell it or leak it publicly if they don’t receive a payment. The US agencies say these demands range from $25,000 to $13 million in Bitcoin, and Karakurt typically sets a one-week deadline to pay up. 

The group used to operate a leak and auction website for exposing and selling victims’ data, but that domain and IP address went offline earlier this spring. However, a dark-web site with several terabytes of supposed victims’ data, along with press releases naming organizations that had not paid and instructions for buying victims’ data resurfaced in May.

In addition to demanding payment, Karakurt, which is named after a type of black widow spider, likes to bully its victims by harassing their employees, business partners, and customers with emails and phone calls that aim to pressure the company into paying the ransom. 

The miscreants usually break into networks by either purchasing stolen login credentials; using third-party initial access brokers, which sell access to compromised systems; or by abusing security weaknesses in infrastructure.

Some of the vulnerabilities that the crooks exploit for initial access, according to the FBI and friends, include Log4Shell, multiple bugs in outdated SonicWall and Fortinet Fortigate VPN appliances, outdated Microsoft Windows Server instances, and then the usual email tricks such as phishing and malicious attachments.

Once they’ve obtained access to a system, Karakurt then deploys tools such as Cobalt Strike, Mimikatz, and AnyDesk to establish backdoors, pull credentials, elevate privileges, and move laterally within networks.

The Feds also noted Karakurt sometimes extorts victims of previous ransomware infections or even targets organizations already under attack by another crime group. “In such cases, Karakurt actors likely purchased or otherwise obtained previously stolen data,” the agencies surmise about the former. 

And regarding the under-attack-by-multiple-gangs scenario: the US government suggested “Karakurt actors purchased access to a compromised system that was also sold to another ransomware actor.”

Linked to Conti?

However, some private-sector security researchers have a different theory. In research published in April, they reported a “high degree of confidence that the Karakurt extortion group is operationally linked” to Conti. 

This analysis was conducted by three firms: Tetra Defense, an incident response team that SecOps provider Arctic Wolf acquired in February; blockchain firm Chainalysis; and threat intel company Northwave, another IR firm called in to work customers hit by the Karakurt crooks.

Both IR teams noted that the extortion gang used the exact same Cobalt Strike backdoor that Conti had used to drill into the victims’ networks. “Such access could only be obtained through some sort of purchase, relationship, or surreptitiously gaining access to Conti group infrastructure,” the threat researchers explained.

Other indicators include a common point of initial intrusion for Karakurt and Conti attacks (Fortinet SSL VPNs), and overlapping tools used for exfiltration: “a unique adversary choice to create and leave behind a file listing of exfiltrated data named file-tree.txt in the victim’s environment as well as the repeated use of the same attacker hostname when remotely accessing victims’ networks.”

The security teams then called in Chainalysis, which helped analyze cryptocurrency transactions carried out by Conti and Karakurt and did, indeed, find a financial connection between the two. ®