A trio of U.S. government agencies on Wednesday issued an advisory with technical details related to the Karakurt data extortion gang, warning that the group has “employed a variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation.”
Karakurt — also known as the Karakurt Team or Karakurt Lair — doesn’t destroy or encrypt victim files. Instead, the group steals data and threatens to publish it, with known ransom demands ranging between $25,000 and $13 million in bitcoin, according to the notice published jointly by the FBI, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the Treasury Department and the Treasury Department-run Financial Crimes Enforcement Network.
Wednesday’s notice does not reference Conti, but notes that Karakurt has extorted victims previously attacked with other ransomware variants, or at the same time the victims were under attack by other actors.
Conti has made international headlines of late after attacking more than two dozen Costa Rican government agencies beginning April 17. Costa Rican President Rodrigo Chaves declared a national emergency May 8 as a result of the attacks, and the U.S. State Department announced a $10 million reward for information leading to the identification and/or location of anybody holding a “key leadership position” within Conti.
Conti, among the most prolific and visible ransomware variants dating back to its first detection in December 2019, is in the process of shutting down, according to cybersecurity firm AdvIntel. The group’s public support of the Russian invasion of Ukraine made it difficult for the group to collect ransom payments as it had before.
While the group’s public data leak site remains operational, it’s back-end infrastructure was dismantled as of May 19 and its main operators and affiliates have split into various groups, including Karakurt.
Brett Callow, a threat analyst at cybersecurity firm Emsisoft, told CyberScoop Thursday that Karakurt’s leak site has been offline for several weeks, and he’s not aware of any recent Karakurt activity. Wednesday’s notice said the group maintains a website with “several terabytes” of purported victim data belonging to victims across North America and Europe, along with “press releases” naming victims who hadn’t paid.
The notice includes a dark web address that links to what appears to be Karakurt’s live “chat” website.
Callow said “it’s not clear whether CISA’s alert was due to concern that the Karakurt operation may be ramped up as the Conti operation is wound down.”
It wouldn’t be suprising to see an uptick in Karakurt activity, he added: “The Conti brand appears to be dead, and the actors behind it will be looking to spin up other operations. In fact, that’s almost certainly been in progress for some time.”
A CISA spokesperson told CyberScoop that “Karakurt continues to be an active threat actor attributed to tens of millions of dollars in losses across four continents,” and that a “significant number of US victims continue to report intrusions attributed to Karakurt.” The advisory’s information and security recommendations “will not only help to prevent and mitigate Karakurt extortion events, but also protect against a broad range of malicious cyber activity.”
Updated, 6/3/22: To include CISA’s statement on the timing of the advisory.