Go to listing page

Karakurt: This New Threat Group Steals Data for Ransom

Karakurt: This New Threat Group Steals Data for Ransom
A new financially motivated threat group has been discovered operating under the self-proclaimed name, Karakurt. The group started accelerating its attacks in the third quarter and continued in the fourth quarter as well.

The Karakurt group

Researchers from Accenture discovered Karakurt’s attacks with multiple sightings within a short period of time. The group mainly focuses on data exfiltration, followed by extortion.
  • Karakurt was first spotted in June when it registered its dump-site domains (karakurt[.]group and karakurt[.]tech), while it came up with its Twitter handle (karakurtlair) in August.
  • The threat group has already targeted over 40 victims in various industries between September and November.
  • The group changes its tactics based on the victim's environment. It often prefers a living off-the-land approach and avoids using common post-exploitation tools such as Cobalt Strike.
  • The threat group uses attack infrastructure previously linked with other cybercriminals. However, the nature of its operations (e.g. affiliate-based model or RaaS) is still unknown.

Who do they target?

About 95% of the group’s victims were found to be based in North America, while the others were observed in Europe. The group isn't focused on a specific industry as it targets randomly.

Additional insights

The Karakurt group primarily uses VPN credentials obtained by sourcing from sellers or phishing for obtaining initial access.
  • For persistence, the group uses Cobalt Strike, which now changed to AnyDesk in recent attacks. Further, they steal administrators' credentials using Mimikatz for privilege escalation.
  • For stealing data, the group makes use of legitimate data compression tools (such as  7zip and WinZip) to compress files and sends all data to Mega[.]io with the use of Rclone/FileZilla.

Conclusion

The Karakurt hacking group is focused on encryption-less attacks that seem less damaging compared to ransomware. However, threatening victims for leaking their sensitive data is equally dangerous. Thus, organizations should focus on defense, prevention, and detection of such threats.

Cyware Publisher

Publisher

Cyware