CONTI data theft extortion Karakurt Team ransomware Security

Karakurt Team hits North America and Europe with data theft and extortion

Karakurt Team assaults are hitting indiscriminate targets in North America and Europe with data theft, requesting a ransom to delete stolen data. Learn extra about their strategies and how you can shield from it.

close up of a laptop keyboard with a breached warning in bright red above the keys

A brand new joint Cybersecurity Advisory (CSA) has been issued by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury) and the Financial Crimes Enforcement Network (FinCEN) to lift consciousness and present details about the Karakurt Data Extortion Group.

Who is the Karakurt Data Extortion Group?

The Karakurt Data Extortion Group, often known as Karakurt Team and Karakurt Lair, is a risk actor threatening firms to publicly disclose inner stolen data except they obtain fee of a ransom, which ranges from $25,000 USD to $13,000,000 USD in Bitcoin (BTC), inside per week.

According to AdvIntel, the Karakurt Team is a subgroup of CONTI risk actor, proven in Figure A.

SEE: The Dark Web: A information for enterprise professionals (free PDF) (TechRepublic)

That subgroup, in response to AdvIntel’s researchers, has been created to monetize victims’ compromises when it couldn’t be ransomed through using ransomware. It appears it occurs fairly steadily that the ransomwares utilized by CONTI can’t run or fail at encrypting data as a result of technical or privileges points, which ends up in zero income for them. In that case, the Karakurt group can work on monetizing the data theft as a substitute of the data encryption.

Figure A

Karakurt CONTI Division ties illustrated as a spider
Image: AdvIntel. CONTI and Karakurt Team ties.

Modus operandi

The Karakurt group employs completely different ways, strategies and procedures (TTPs) towards targets that appear randomly chosen.

The preliminary compromise permitting the risk actor to get entry to the goal typically entails acquiring legitimate login credentials, which is perhaps bought, exchanged through cooperating companions in crime or via shopping for entry to already compromised victims. This is finished through third-party preliminary entry brokers (IAB).

The risk actor additionally has the aptitude to use frequent vulnerabilities for preliminary entry. Just a few examples are the notorious Log4Shell vulnerability, weak outdated VPN home equipment or malicious Microsoft Office macros.

Once Karakurt Team has obtained legitimate entry, they deploy Cobalt Strike beacons to enumerate the community, earlier than putting in and utilizing mimikatz to gather extra credentials. They additionally use AnyDesk software program to acquire persistent distant management and extra instruments to raise their privileges within the system and transfer laterally on the community.

The subsequent transfer from Karakurt Team is to exfiltrate giant quantities of data. In many instances, total network-connected shared drives are compressed with 7zip earlier than being exfiltrated utilizing open-source purposes and FTP (File Transfer Protocol) companies. The volumes can exceed 1TB of data.

Ransom notes are then despatched by electronic mail to workers over the compromised electronic mail networks and emails despatched from exterior electronic mail accounts. The notice incorporates an attribution to Karakurt Team and a hyperlink to a TOR URL with an entry code.

Clicking on that hyperlink and utilizing the entry code results in a chat software used to barter with a Karakurt risk actor.

The advisory mentions that “Karakurt victims have reported extensive harassment campaigns by Karakurt actors in which employees, business partners, and clients receive numerous emails and phone calls warning the recipients to encourage the victims to negotiate with the actors to prevent the dissemination of victim data. These communications often included samples of stolen data—primarily personally identifiable information (PII), such as employment records, health records, and financial business records.”

More screenshots displaying file timber of stolen data might be proven by the risk actor. Upon settlement on the value for the data deletion, the sufferer is introduced a brand new, beforehand unused Bitcoin deal with to which the fee might be achieved.

If the fee is finished, Karakurt Team gives proof of data deletion: display screen recordings of recordsdata being deleted, deletion log file, or credentials to entry a storage server, so the sufferer can delete the data themselves.

In some instances, Karakurt Team has attacked firms which have been beforehand hit by ransomware or attacked on the similar time by ransomware risk actors. This means that Karakurt Team typically buys preliminary entry that’s offered to different ransom risk actors on the similar time.

Finally, Karakurt Team typically exaggerates the diploma of compromise to the sufferer, claiming quantity theft greater than the storage capability or data theft that doesn’t belong to the sufferer.

How to guard from this risk?

For starters, delicate data inside firms must be saved securely, on segmented or bodily separated storage. And a number of secure copies ought to be made. Data also needs to be frequently backed up, the backups being at the least password protected and saved offline.

SEE: How to develop into a cybersecurity professional: A cheat sheet (TechRepublic)

All working methods and software program must be consistently updated to keep away from being compromised by a standard vulnerability. And safety software program must be deployed on all endpoints and servers.

In addition, administrative privileges ought to solely be supplied to workers needing it for his or her actions, and entry controls must be set within the firm utilizing least privilege entry ideas. Moreover, multi-factor authentication (MFA) must be set for each workers’ entry. Domain controllers, servers and workstations, and lively listing also needs to be reviewed frequently for brand new or unrecognized accounts.

Finally, trainings and consciousness on cybersecurity must be supplied to workers, particularly concerning phishing and spear phishing.

Disclosure: I work for Trend Micro, however the views expressed on this article are mine.


Leave a Reply

Your email address will not be published.Required fields are marked *