As a joint effort, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of the Treasury (Treasury), and Financial Crimes Enforcement Network (FinCEN) issued a comprehensive report. Cyber security advisory (CSA) aims to raise awareness about the Karakurt data extortion group, also known as Karakurt Team and Karakurt Lair. This joint advisory aims to provide critical information to organizations to strengthen their defenses against the evolving tactics employed by Karakurt attackers.
Karakurt has demonstrated a variety of advanced tactics, techniques, and procedures (TTPs) that pose significant challenges to defense and mitigation efforts. Unlike typical ransomware attacks, Karakurt victims do not report compromised machines or encryption of their files. Instead, the attackers claim to have stolen sensitive data and employ coercive approaches, such as auctioning off the information or threatening to release the information if the demanded ransom is not promptly paid. .
Ransom demands by Karakurt attackers range from $25,000 to the equivalent of $13 million in Bitcoin. Usually the payment deadline is set so that he is due within one week from the first contact with the victim. To instill urgency and credibility, Karakurt attackers often provide screenshots or copies of stolen files and directories as evidence of compromised data.
A disturbing aspect of Karakurt’s methods includes contacting victims’ employees, business partners, and customers through harassing emails and phone calls. Emails contain examples of stolen data, including sensitive information such as Social Security numbers, payment accounts, private company emails, and sensitive business data belonging to employees and customers.
When receiving ransom payments, Karakurt attackers provide evidence of file deletion and, in some cases, a brief description of the initial compromise. Specifically, prior to January 5, 2022, Karakurt operated a leak and auction website. The original domain that hosted the website and his IP address went offline in the spring of 2022, but reports say the website has resurfaced on the deep and dark web, and from North America and Europe. Several terabytes of data are stored on the alleged victims.
This joint recommendation serves as an important resource for organizations to strengthen their cybersecurity posture against the persistent threat posed by Karakurt. By understanding group tactics and staying up-to-date on evolving strategies, organizations can improve their preparedness and response capabilities to protect sensitive information and thwart potential attacks. The joint efforts of the FBI, CISA, Treasury Department, and FinCEN highlight the importance of collective action in addressing emerging cyber threats and protecting the integrity of the digital ecosystem.