In a collaborative effort, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), and the Financial Crimes Enforcement Network (FinCEN) have issued a comprehensive Cybersecurity Advisory (CSA) to raise awareness about the Karakurt data extortion group, also known as the Karakurt Team and Karakurt Lair. This joint advisory aims to equip organizations with crucial information to enhance their defenses against the evolving tactics employed by the Karakurt actors.
Karakurt has demonstrated a range of sophisticated tactics, techniques, and procedures (TTPs), presenting substantial challenges for defense and mitigation efforts. Unlike typical ransomware attacks, victims of Karakurt have not reported the encryption of compromised machines or files. Instead, the threat actors claim to have stolen sensitive data and employ a coercive approach, threatening to auction off or release the information to the public unless the demanded ransom is paid promptly.
Ransom demands by Karakurt actors have varied widely, spanning from $25,000 to a substantial $13,000,000 in Bitcoin. Typically, the payment deadlines are set to expire within a week of initial contact with the victim. To instill urgency and credibility, Karakurt actors often provide screenshots or copies of stolen file directories as evidence of the compromised data.
An unsettling aspect of Karakurt’s modus operandi involves reaching out to victims’ employees, business partners, and clients through harassing emails and phone calls. The emails contain examples of stolen data, including sensitive information such as social security numbers, payment accounts, private company emails, and confidential business data belonging to employees or clients.
Upon receiving ransom payments, Karakurt actors have, on occasion, provided proof of file deletion and, in some instances, a brief explanation of the initial intrusion. Notably, prior to January 5, 2022, Karakurt operated a leaks and auction website. Although the original domain and IP address hosting the website went offline in spring 2022, reports suggest that the website has resurfaced on the deep web and dark web, housing several terabytes of purported victim data from North America and Europe.
The joint advisory serves as a critical resource for organizations to fortify their cybersecurity measures against the persistent threat posed by Karakurt. By understanding the group’s tactics and staying informed about their evolving strategies, businesses and entities can enhance their preparedness and response capabilities to safeguard sensitive information and thwart potential attacks. The collaborative efforts of FBI, CISA, Treasury, and FinCEN underscore the importance of collective action in addressing emerging cyber threats and protecting the integrity of digital ecosystems.