Prolific cyber extortion group Karakurt might be a Conti side hustle

In late February, a Ukrainian researcher with longtime access to Conti’s internal chats and files began leaking them online, exposing in intricate detail the ways in which one of the most prolific cybercrime syndicates operated.

In the weeks since, voluminous reporting has picked the files apart, even as the group, mostly known for its prolific ransomware attacks on targets around the world, chugged along, offering an unprecedented view into the sprawling and sophisticated operation behind. Research out Friday suggests an even bigger and more complex network associated with the group.

The research suggests strong connections between Conti — and an associated ransomware strain known as Diavol, which is part of the highly lucrative TrickBot malware family — and Karakurt, a cyber extortion group that’s attacked dozens of targets to the tune around the world since first emerging in August 2021.

According to joint research from Tetra Defense, an Arctic Wolf company, Chainalysis and Northwave, Karakurt may represent an effort at business-model diversification for Conti, or at the very least is condoned by and connected financially and otherwise to the group. The findings reveal that the web of sophisticated operations of Conti and TrickBot are “wider than originally thought, to include additional exfiltration-only operations,” the researchers wrote.

Karakurt — which takes its name from a venomous widow spider native to the Mediterranean and eastern Europe and central Asia — is known for extorting targets by stealing and threatening to release data without any attempt to encrypt the data. According to Tetra Defense, the group has roughly 75 victims spread across at least eight countries in industries such as manufacturing, construction and businesses services.

A Tetra Defense analysis of multiple Karakurt attacks, along with an analysis of internal dynamics at Conti made possible by the Conti leaks, pointed to definitive links between the groups.

In 2021 a Tetra Defense client told the firm that it had been hit with a second instance of ransomware extortion; they’d previously been victim to Conti and paid the demand “only to late discover another extortion attempt from an unknown group.” Subsequent investigation found that the group used the same Cobalt Strike backdoor Conti employs, which would only be possible “through some sort of purchase, relationship, or surreptitiously gaining access to Conti group infrastructure,” the researchers note.

The observed activity was taking place against the backdrop of disgruntled Conti affiliates “angry over low pay and leaking sensitive information such as Conti’s playbooks and training materials,” the researchers note, pointing to the possibility that what was to become Karakurt was the work of disgruntled Conti employees or, alternatively, “the trial run of a strategic diversification authorized by the main group.”

More examples of the extortion began to emerge over the next few months, and Tetra Defense built a dataset to analyze the patterns. Overlaps between the Karakurt activity and past Conti-related re-extortion episodes became clear, including the use of the same data exfiltration tools, a file left behind by the attackers listing all the stolen data titled “file-tree.txt,” and the repeated use of the same attacker hostname when remotely accessing victims’ networks.

Additional connections emerged when a Karakurt victim came forward that had previously been attacked with Ryuk ransomware, Conti’s predecessor.

Additionally, multiple cryptocurrency wallets linked to Karakurt were observed sending substaintial sums of cryptocurrency to Conti wallets, according to research by Chainalysis, a blockchain and cryptocurrency research firm, which had joined with Tetra Defense to investigate. Further research by Chainalysis showed Karakurt victim payment addresses that are hosted by cryptocurrency wallets that also house Conti victim payment addresses.

“Shared wallet hosting leaves virtually no doubt that Conti and Karakurt are deployed by the same individual or group,” the researchers wrote in Friday’s report.

Another connection emerged when Northwave, a Dutch cybersecurity incident response firm, worked a case where Conti and Karakurt were in a victim’s network simultaneously. A representative for Karakurt made it clear during extortion negotiations that the group was aware of Conti being in the network. After a quick back-and-forth, Conti took over the negotiations.

“The speed with which Conti and Karakurt were able to work out the double-tap is certainly telling,” the researchers note.

The researchers found similar links between Karakurt, Conti and Diavol in the form of overlapping tooling, shared attack infrastructure and associated cryptocurrency wallets.

The findings suggest a clear link between the seemingly disparate cybercrime groups, but the motivations and implications are not yet clear.

“Amid unprecedented law enforcement action on ransomware in 2021 when Karakurt emerged, Conti managers may have perceived that launching a strain that does not encrypt can bypass scrutiny incurred by ‘ransomware’ while still achieving financial objectives,” the researchers wrote.

That said, the researchers add, the “strategy may backfire” given that Conti’s pledge to victims is that once a ransom is paid they will be safe from additional attacks. The researchers claim to have seen “on numerous occassions” where Karakurt does not delete victim data after payment and keeps a copy.

“If victims and their incident response firms know Conti may have re-extorted prior victims using Karakurt and that data won’t actually be deleted, there’s much less incentive to pay. Don’t get caught in the web,” they said.

After the research went live Friday, a message appeared on Conti’s dark web leak site saying the group was aware of “a public leak of our target negotiation chats.” The message said they’d “previously warned that any leaks of our negotiation chats will lead to direct symmetric retaliation,” and told an unnamed company to “start checking our blog … ALL your files will be there shortly.”

Updated, 4/15/22: To include reaction to the research posted on Conti’s site.