U.S. cybersecurity officials issue notice on Karakurt extortion group
Written by AJ Vicens
A trio of U.S. government agencies issued a warning on Wednesday with technical details related to the Karakurt data extortion band, warning that the group has employed a variety of tactics, techniques and procedures (TTP), creating challenges. important for defense and mitigation. ”
Karakurt, also known as the Karakurt Team or Karakurt Lair, does not destroy or encrypt victims’ files. Instead, the group is stealing data and threatening to release it, with known bailouts ranging from $ 25,000 to $ 13 million in bitcoins, according to a joint release by the FBI. Cyber Security and Infrastructure (CISA) of the Department of Homeland Security. The Department of Finance and the Financial Crime Control Network managed by the Department of Finance.
Karakurt is part of the Conti ransomware group, several independent cybersecurity researchers reported in April.
Wednesday’s warning does not refer to Conti, but notes that Karakurt has extorted victims previously attacked with other variants of ransomware, or at the same time that the victims were under attack from other actors.
Conti has appeared in international headlines recently after attacking more than two dozen Costa Rican government agencies as of April 17. Costa Rican President Rodrigo Chaves declared a national emergency on May 8 as a result of the attacks, and the U.S. Department of State announced a $ 10 million reward for information leading to the identification and / or location of any person holding a “key leadership position” within Conti.
Conti, one of the most prolific and visible ransomware variants dating back to its first detection in December 2019, is in the process of closing, according to cybersecurity firm AdvIntel. The group’s public support for the Russian invasion of Ukraine made it difficult for the group to collect ransom payments as it had done before.
Although the group’s public data filtering site is still operational, its underlying infrastructure was dismantled on May 19 and its main operators and affiliates have split into several groups, including Karakurt.
Brett Callow, a threat analyst at cybersecurity firm Emsisoft, told CyberScoop on Thursday that the Karakurt leaks site had been offline for several weeks and that he knew of no recent Karakurt activity. The notice on Wednesday said the group maintains a website with “several terabytes” of alleged victim data belonging to victims in North America and Europe, along with “press releases” calling for victims who had not paid .
The alert includes a dark web address that links to what appears to be Karakurt’s live “chat” website.
Callow said it was “unclear whether the CISA alert was due to concerns that Operation Karakurt would intensify as Operation Conti ends.”
It would not be surprising to see an increase in Karakurt’s activity, he added: “The Conti brand seems dead, and the actors behind it will be looking to boost other operations. “.
CISA did not answer a question about the timing of the joint advice.