Karakurt Data Extortion Group – A New Approach to Ransomware

You may be growing tired of hearing the word “ransomware” by now, but this critical threat is unfortunately only continuing to grow at an exponential speed. The Verizon Business 2022 Data Breach Investigations Report (2022 DBIR) notes that ransomware breaches increased by thirteen percent in a single year - representing a jump greater than the past five years combined. That statistic is comprised of organizations both small and large, with recent attacks affecting familiar names including Nvidia, Toyota, Bridgestone, and so on. Government bodies have also been targeted in 2022, with successful ransomware attacks affecting Bernalillo County, Costa Rica, the City of Alexandria, etc. These attacks not only cripple the effected organization’s ability to operate, but they also carry a steep financial toll and lasting damage to brand reputation. Clients could be lost, stock prices could decline, and in the end, there is no guarantee that you can ever stop the stolen data from eventually being released somewhere on the dark web. Some of the most successful ransomware groups this year include LockBit, Conti, and BlackCat. Nevertheless, the Karakurt Data Extortion Group has made headlines recently for their unique approach to acquiring payment from victims.

The Karakurt Data Extortion Group, also known as Karakurt Team and Karakurt Lair, is a hacker group threatening companies to publicly disclose internal stolen data unless they receive payment of a ransom. These payments have ranged from $25,000 to $13,000,000 in Bitcoin, with payment deadlines typically set to expire within a week of first contact with the victim. According to AdvIntel, the Karakurt Team is a subgroup of Conti group. On the surface, this strategy sounds identical to those of other ransomware groups. However, victims of Karakurt have not reported encryption of compromised machines or files. Instead, Karakurt claims to steal data and threatens to auction it off or release it to the public unless they receive payment of the demanded ransom. Karakurt typically provides screenshots or copies of stolen file directories as proof of stolen data. The group will even go as far as to contact and harass a victim’s employees, business partners, and clients to try to persuade the victim into paying the ransom. In early June, the United States Cybersecurity and Infrastructure Security Agency (CISA) released an alert with the following verbiage:

Karakurt actors have contacted victims’ employees, business partners, and clients with harassing emails and phone calls to pressure the victims to cooperate. The emails have contained examples of stolen data, such as social security numbers, payment accounts, private company emails, and sensitive business data belonging to employees or clients. Upon payment of ransoms, Karakurt actors have provided some form of proof of deletion of files and, occasionally, a brief statement explaining how the initial intrusion occurred… Prior to January 5, 2022, Karakurt operated a leaks and auction website found at https://karakurt[.]group. The domain and IP address originally hosting the website went offline in the spring 2022. The website is no longer accessible on the open internet, but has been reported to be located elsewhere in the deep web and on the dark web. As of May 2022, the website contained several terabytes of data purported to belong to victims across North America and Europe, along with several “press releases” naming victims who had not paid or cooperated, and instructions for participating in victim data “auctions.”… Karakurt does not appear to target any specific sectors, industries, or types of victims.

The alert goes on to state that Karakurt appears to obtain access to victim devices primarily via purchasing stolen login credentials, cooperating with partners in the cybercrime community who provide Karakurt access to already compromised victims, and through buying access to already compromised victims via third-party intrusion broker networks. As we have seen so far this year, threat actors will continue to innovate and develop creative new methods of extracting data and money from their victims. Mitigating this threat is not a point in time action, but rather a continuous and holistic approach that includes the following recommended best practices:

• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud)
• Implement network segmentation and maintain offline backups of data to ensure limited interruption to the organization
• Regularly back up data and password protect backup copies offline; ensure copies of critical data are not accessible for modification or deletion from the system where the data resides
• Install and regularly update antivirus software on all hosts and enable real time detection
• Install updates/patch operating systems, software, and firmware as soon as updates/patches are released
• Review domain controllers, servers, workstations, and active directories for new or unrecognized accounts
• Audit user accounts with administrative privileges and configure access controls with least privilege in mind; do not give all users administrative privileges
• Disable unused ports
• Consider adding an email banner to emails received from outside your organization
• Disable hyperlinks in received emails
• Enforce multi-factor authentication
• Use the National Institute for Standards and Technology (NIST) standards for developing and managing password policies
• Only use secure networks and avoid using public Wi-Fi networks
• Focus on cyber security awareness and training; regularly provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e., ransomware and phishing scams)

For the past decade, Compass IT Compliance has worked closely with clients and partners to implement the steps listed above and foster a culture of cybersecurity awareness to mitigate the threat of ransomware. We leverage our extensive experience working with private and public organizations across all industries to customize a risk management strategy that is appropriate for the customer’s regulatory environment. Contact us today to chat with one of our cybersecurity experts and discuss your unique situation!