Karakurt Exortion Group ties with Conti

CISA warns organizations about a data extortion group named Karakurt, which focused on stealing data from companies since at least June 2021 and forcing them into paying ransoms under the threat of publishing the information online. The group has employed a variety of TTPs, creating several challenges for defense and mitigation. 

Karakurt actors have claimed to steal data and threatened to auction it off or release it to the public unless they receive payment of the demanded ransom. The threat actors often provide screenshots or copies of stolen file directories as proof of stolen data.

Karakurt actors have contacted victims using emails that contains examples of stolen data, such as social security numbers, payment accounts, private company emails, and sensitive business data belonging to employees or clients. Upon payment of ransoms, Karakurt actors have provided some form of proof of deletion of files.

Between September and November 2021, more than 40 organizations have fallen victim to Karakurt hacking attempts. It was recently discovered that the Karakurt hacking team likely has ties to the Conti ransomware gang.

Many cryptocurrency wallets used by Karakurt to receive victims’ payments were sending money to Conti wallets. It is realistically possible that Conti had formed a business relationship with Karakurt or that Karakurt was a side business of Conti.

Its important to review current encryption policies and technologies deployed as well to ensure you haven’t left an open vulnerability to be exploited. Now is the time to take immediate, proactive steps.