The FBI, the CISA, and other agencies recently published a joint advisory that states that the Karakurt threat actor is attempting to extort millions of victims across Europe and North America. However, the agencies have warned against paying the ransom since there is no proof that the threat actor actually deletes the stolen files. The gang has been found selling sensitive data and demanding a hefty ransom from the victims.
Diving into details
- The average ransom demanded by Karakurt ranges from $25,000 to $13,000,000 in Bitcoin, with a deadline of one week.
- As a part of the extortion routine, the attackers send ransom notes to the employees of the victim firm, threatening to leak the stolen information.
- The twist is that although there is a deadline for paying the ransom, the hackers do not sit and wait.
- They conduct extensive harassment campaigns, sending emails and making calls to business partners, employees, and clients.
- Moreover, Karakurt generally exaggerates the amount of data stolen.
- Karakurt doesn’t encrypt the data, only steals it, hoping that it will scare the victims into paying up.
Why this matters
The cybersecurity advisory notes that in certain cases, the threat actor targets businesses that have previously been the victims of ransomware attacks. It likely buys the data from dark web markets or gets it from data dumps. Common intrusion tactics followed by the group, include exploiting flaws, sending phishing emails with malicious attachments, abusing unpatched bugs in firewall appliances and VPN software, and exploiting outdated Windows servers.
Connection to Conti
- Karakurt was discovered to be a side-operation of the infamous Conti ransomware gang.
- Other ransomware gangs working under Conti include Hive, AvosLocker, BlackCat, HelloKitty, BlackByte, and former Babuk affiliates.
- Karakurt was formed by Conti to monetize data exfiltration, as previously Conti’s model was based exclusively on data encryption and not theft.
The bottom line
Karakurt is actively abusing vulnerabilities to target businesses with double-extortion attacks. However, there are mitigation measures that organizations can take to stay safe. These include applying patches as soon as they are available, implementing network segmentation, training employees and users to identify phishing emails, and employing MFA.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_384007933.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_292025357.jpg)
