Several U.S. federal agencies have issued a joint cybersecurity alert to warn organizations about a data extortion group named Karakurt.

According to the alert released by the Cybersecurity and Infrastructure Security Agency (CISA), Karakurt is focused on stealing data from companies since at least June 2021 and forcing them into paying ransoms under the threat of publishing the information online. In addition, the group has employed a variety of tactics, techniques and procedures (TTPs), creating several challenges for defense and mitigation. 

Victims have not reported encryption of compromised machines or files; rather, Karakurt actors have claimed to steal data and threatened to auction it off or release it to the public unless they receive payment of the demanded ransom. Known ransom demands have ranged from $25,000 to $13,000,000 in Bitcoin, with payment deadlines typically set to expire within a week of first contact with the victim.

The threat actors often provide screenshots or copies of stolen file directories as proof of stolen data. Karakurt actors have contacted victims’ employees, business partners, and clients with harassing emails and phone calls to pressure the victims to cooperate. The emails have contained examples of stolen data, such as social security numbers, payment accounts, private company emails, and sensitive business data belonging to employees or clients. Upon payment of ransoms, Karakurt actors have provided some form of proof of deletion of files and, occasionally, a brief statement explaining how the initial intrusion occurred.

Within just two months, between September and November 2021, more than 40 organizations have fallen victim to Karakurt hacking attempts. Senior Cyber Threat Intelligence Analysts at Digital Shadows Ivan Righi says Karakurt has primarily targeted smaller U.S.-based companies or corporate subsidiaries, although they have also attacked organizations in Canada, the U.K., and Germany.

It was recently discovered that the Karakurt hacking team likely has ties to the Conti ransomware gang, Righi says. “Conti has uploaded large volumes of stolen data to Karakurt’s web servers. Many cryptocurrency wallets used by Karakurt to receive victims’ payments were sending money to Conti wallets. It is realistically possible that Conti had formed a business relationship with Karakurt or that Karakurt was a side business of Conti.”

Scott Bledsoe, CEO at Theon Technology, says, “While reviewing Karakurt’s tactics, techniques, and procedures, it will also be extremely important to review current encryption policies and technologies deployed as well to ensure you haven’t left an open vulnerability to be exploited. Now is the time to take immediate, proactive steps.”

For mitigation strategies, please visit www.cisa.gov