Karakurt, a particularly nasty extortion gang that uses “extensive harassment” to pressure victims into handing over millions of dollars in ransom payments after compromising their IT infrastructure, pose a “significant challenge” for network defenders, we’re told.
This is largely because the criminals use such a wide variety of tactics, techniques, and procedures. So to help organizations avoid getting caught by this crew, the FBI, and the US government’s Cybersecurity and Infrastructure Security Agency (CISA), Treasury Department, and Financial Crimes Enforcement Network released an extensive list of vulnerabilities and methods the gang exploits and uses for initial access, the software tools they abuse to snoop around and steal data, and the payment wallets and even email addresses used in the group’s extortion attacks.
Karakurt doesn’t encrypt victims’ assets after breaking into their IT environments nor target particular sectors. Instead, “Karakurt actors have claimed to steal data and threatened to auction it off or release it to the public unless they receive payment of the demanded ransom,” according to the FBI, CISA, and friends.
Those demands range from $25,000 to $13 million, paid in Bitcoin, and the payment deadlines are usually set for a week after first contact, we’re told.
The crew gains initial access by either purchasing stolen credentials, dealing with initial-access brokers who sell unauthorized access to corporate networks, or exploiting known vulnerabilities, according to the Feds.
“Some Karakurt victims have reported that initial intrusion may have occurred thanks to compromised Cisco AnyConnect VPN user accounts,” the security bulletin warns. “Many of these victims reported multi-factor authentication was not enforced for their Cisco AnyConnect VPN platforms.”
In addition to the buggy Cisco VPNs, the crew also targets outdated Fortinet FortiGate VPN and firewall appliances, compromised SonicWall VPN appliances, and unserviceable Microsoft Windows Server instances, all of which are vulnerable to multiple recent CVEs.
And yes, Karakurt is among the many cyber villains that are still abusing Log4Shell.
Once Karakurt breaks in, it deploys Cobalt Strike beacons for further malicious activities, installs Mimikatz to steal plain-text credentials, and use AnyDesk to maintain remote access and control. With those tools in place, the crew gets to work exfiltrating massive amounts of sensitive data.
Karakurt frequently compresses files with 7zip and uses open source file transfer apps such as Filezilla. In many cases the gang steals “entire network-connected shared drives in volumes exceeding 1 terabyte,” Uncle Sam says.
The gang then repeatedly calls and emails the victim company’s employees, business partners and customers to build pressure to pay the ransom — and issues threats that stolen information, including employment, health and financial records will be published unless the monetary demands are met.
“Although Karakurt’s primary extortion leverage is a promise to delete stolen data and keep the incident confidential, some victims reported Karakurt actors did not maintain the confidentiality of victim information after a ransom was paid,” the US government warned, noting that it “strongly” discourages payment to any cyber criminals promising to delete stolen files in exchange for payment.
The Feds also published multiple pages of indicators of compromise including tools and payments wallets used by the gang, ransom note sample text, and Cobalt Strike hashes. Uncle Sam also shared the following email addresses associated with Karakurt activity:
This week’s Karakurt security advisory follows an earlier version issued in June 2022, published shortly after the extortion group appeared on the cybercrime scene. ®