Extortion Group Won’t Stop Data Leaks Even If Its Demands Are Met, Feds Say(@prajeetspeaks) o
June 3, 2022
U.S. government agencies have issued a warning to organizations in the country against paying ransom to the Karakurt data extortion group. The threat actor’s promises to delete stolen data and not disclose the security incident to the public if its demands are met are false, the agencies say.
“Karakurt actors have employed a variety of tactics, techniques and procedures, creating significant challenges for defense and mitigation. Karakurt victims have not reported encryption of compromised machines or files; rather, Karakurt actors have claimed to steal data and threatened to auction it off or release it to the public unless they receive payment of the demanded ransom,” says a joint advisory, published by the U.S. Cybersecurity and Infrastructure Security Agency, the Department of the Treasury, the Financial Crimes Enforcement Network and the FBI.
The joint advisory provides information on the data extortion group, also known as the Karakurt Team or Karakurt Lair. The group usually demands a ransom in bitcoins, with the value ranging from $25,000 to $13,000,000, and sets a payment expiration date of one week from the first contact with the victim, the advisory says.
Besides the operational impact of ransomware, the reputational damage can be severe – this potential damage is what adds to the leverage the threat actors already have, and it is a very effective tool, says security awareness advocate Erich Kron.
“While paying the ransom may stop the harassment and may even limit the public exposure of the stolen data, given the lengths these attackers are going to in order to make a few bucks, it can be expected that the information will also be sold on the dark web or shared with other cybercriminals,” he says.
The threat actors show the victims copies of the stolen data, such as screenshots, to establish authenticity. They also contact and harass victims’ employees, business partners and clients to pressure them into paying up, the advisory says.
“Upon payment of ransoms, Karakurt actors have provided some form of proof of deletion of files and, occasionally, a brief statement explaining how the initial intrusion occurred,” it says.
The advisory also says the domain and IP address hosting the leaks and auction website of the threat actors prior to Jan. 5, 2022, is “no longer accessible on the open internet,” but the website has been relocated to the deep web and the dark web.
“As of May 2022, the website contained several terabytes of data purported to belong to victims across North America and Europe, along with several ‘press releases’ naming victims who had not paid or cooperated, and instructions for participating in victim data auctions,” it says.
The advisory also says that in some cases, the Karakurt group targeted victims that had already been affected by other ransomware variants.
“Karakurt actors likely purchased or otherwise obtained previously stolen data. Karakurt actors have also targeted victims at the same time these victims were under attack by other ransomware actors. In such cases, victims received ransom notes from multiple ransomware variants simultaneously, suggesting Karakurt actors purchased access to a compromised system that was also sold to another ransomware actor,” the advisory says.
It adds that the Karakurt actors exaggerated the degree of compromise and the value of stolen data by claiming “to steal volumes of data far beyond the storage capacity of compromised systems” or “to steal data that did not belong to the victim.”
The advisory states that the threat actor does not appear to target any specific sectors, industries or types of victims. It obtains access to the victims’ devices primarily by:
Purchasing stolen credentials;
Accessing already compromised victims from cooperating partners in the cybercrime community;
Using intrusion brokers to buy access to already compromised victims.
Intrusion brokers are malicious individuals or groups of cyberthreat actors who obtain initial access to systems themselves, and sell that access to other cybercriminal actors.
Karakurt uses the following intrusion vulnerabilities for initial access:
Outdated SonicWall SSL VPN appliances that are vulnerable to multiple recent CVEs;
Log4j “Log4Shell” Apache Logging Services vulnerability CVE-2021-44228;
Phishing and spear-phishing;
Malicious macros within email attachments;
Stolen virtual private network or Remote Desktop Protocol credentials;
Outdated Fortinet FortiGate SSL VPN appliances /firewall appliances that are vulnerable to multiple recent CVEs;
Outdated and/or unserviceable Microsoft Windows Server instances;
“Upon developing or obtaining access to a compromised system, Karakurt actors deploy Cobalt Strike beacons to enumerate a network, install Mimikatz to pull plain-text credentials, use AnyDesk to obtain persistent remote control, and utilize additional situation-dependent tools to elevate privileges and move laterally within a network,” the advisory says.
Then, the Karakurt actors “compress files using 7zip and exfiltrate large sums of data. In many cases, this includes entire network-connected shared drives in volumes exceeding 1 terabyte. They also use open source applications, File Transfer Protocol services such as Filezilla, and cloud storage services including rclone and Mega.nz,” it says.
Upon successful exfiltration of data, Karakurt actors email a ransom note in a “readme.txt” file over the compromised email network, using an external email account.
“The ransom notes reveal the victim has been hacked by the ‘Karakurt Team’ and threaten public release or auction of the stolen data. The instructions include a link to a TOR URL with an access code. Visiting the URL and inputting the access code open a chat application over which victims can negotiate with Karakurt actors to have their data deleted,” the advisory says.
The advisory also says that the victims have reported “extensive harassment campaigns” to encourage the victim to pay up, and offer some form of evidence that their data theft claim is true.
“Upon reaching an agreement on the price of the stolen data with the victims, Karakurt actors provided a Bitcoin address – usually a new, previously unused address – to which ransom payments could be made,” the advisory says.
Once the ransom is paid, Karakurt actors provide alleged proof of deletion of the stolen files. This includes “a screen recording of the files being deleted, a deletion log, or credentials for a victim to log into a storage server and delete the files themselves,” the advisory says.
One of the easiest ways for organizations to protect themselves is to include simulated phishing attacks in their employee training, Kron says, since these attacks are the primary means by which ransomware spreads.