Thu | Jun 2, 2022 | 2:57 PM PDT

It's the beginning of June, the unofficial beginning of summer, and many of us are looking forward to fun plans, vacations, or just some relaxation after what was a very busy first half of the year in cybersecurity.

But guess what? Malicious threat actors are looking forward to you taking that vacation time, as well.

It is well known that threat actors frequently target organizations around holidays, when the majority of staff is taking time off. SecureWorld covered this last year when the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of ransomware operators using holidays to their advantage.

This week, CISA, the FBI, and other government organizations issued a joint Cybersecurity Advisory, providing information on a ransomware gang known as the Karakurt data extortion group, or the Karakurt Team.

Most notably, the Karakurt group appears to be the data extortion arm of the Conti ransomware gang.

What is the Karakurt group?

The Karakurt gang is a relatively new cybercrime group on the block, with researchers reporting it first emerged in late 2021. CISA says the group employs a variety of tactics, techniques, and procedures (TTPs), which create significant problems for defense and mitigation.

Interestingly, victims of the group have not reported encryption of compromised machines or files. However, the threat actors have claimed to steal data and then threaten to sell it on the Dark Web unless they receive a ransom payment. Ransom demands have ranged from $25,000 to $13 million in Bitcoin.

The advisory discusses Karakurt's operations:

"Karakurt actors have typically provided screenshots or copies of stolen file directories as proof of stolen data. Karakurt actors have contacted victims' employees, business partners, and clients with harassing emails and phone calls to pressure the victims to cooperate.

The emails have contained examples of stolen data, such as social security numbers, payment accounts, private company emails, and sensitive business data belonging to employees or clients. Upon payment of ransoms, Karakurt actors have provided some form of proof of deletion of files and, occasionally, a brief statement explaining how the initial intrusion occurred."

It's important to highlight the harassment portion of this quote, as victims have reported "extensive harassment campaigns" in which the individual victim or organization receives numerous emails and phone calls demanding payment.

The joint statement continues:

"Prior to January 5, 2022, Karakurt operated a leaks and auction website found at https://karakurt[.]group. The domain and IP address originally hosting the website went offline in the spring 2022. The website is no longer accessible on the open internet, but has been reported to be located elsewhere in the deep web and on the dark web.

As of May 2022, the website contained several terabytes of data purported to belong to victims across North America and Europe, along with several 'press releases' naming victims who had not paid or cooperated, and instructions for participating in victim data 'auctions.'"

The advisory also states that in some instances, Karakurt conducted attacks against victims who were previously targeted by other ransomware groups. This indicates that Karakurt operators might have purchased previously stolen data.

They have also targeted victims at the same time they were already under attack by another ransomware group, meaning that victims received multiple ransomware notes simultaneously. CISA suggests that in these cases, Karakurt actors purchased access to a compromised system that was also sold to another ransomware actor.

What's more, the Karakurt group appears to be associated with the infamous Conti ransomware gang. 

Ivan Righi, a senior cyber threat intelligence analyst at Digital Shadows, discusses Karakurt and the possible Conti ties:

"The Karakurt Hacking Team is an extortion group that first appeared in late 2021. Since the release of the Karakurt Hacking Team data-leak site, the gang has named more than 80 organizations as attempted extortion victims. The group not only leaks data from victims, but also often auctions off the data it steals in private auctions. Karakurt has primarily targeted smaller US-based companies or corporate subsidiaries, although they have also attacked organizations in Canada, the UK, and Germany.

Recently, it was discovered that the Karakurt Hacking Team likely had some ties to the Conti ransomware gang. Conti has uploaded large volumes of stolen data to Karakurt's web servers. Many cryptocurrency wallets used by Karakurt to receive victims' payments were sending money to Conti wallets. It is realistically possible that Conti had formed a business relationship with Karakurt, or that Karakurt was a side business of Conti."

For more technical details, indicators of compromise, and mitigations to use for Karakurt, see the Cybersecurity Advisory.