Karakurt

Malware updated 22 days ago (2024-11-29T14:34:29.243Z)

Download STIX

Preview STIX

Karakurt is a malicious software (malware) that has been linked to significant data extortion activities. The malware is affiliated with the notorious Conti cybercrime syndicate and ITG23, which are known for their disruptive operations, including data theft and ransom demands. In 2023, there was a notable increase in Karakurt victims from the healthcare industry, with the Full-time group Bianlian severely impacting 11 entities, followed by Lockbit and Karakurt affecting seven each. Other groups previously associated with ITG23, such as Karakurt, continue to operate, contributing to a 25 percent increase in data theft extortion incidents compared to the previous quarter. Karakurt's association with Conti is deep-seated, as evidenced by the crypto addresses identified as "Karakurt 1PLpQH3ntG," which received some ransoms paid to the group, including half of the first known Conti victim ransom payment in June 2020. Karakurt also hit a company based in Springfield, Missouri, in a shakedown in November 2021. However, due to the negative impact of their association with Conti on their returns, Karakurt members discussed changing their group's name to TommyLeaks, Schoolboys Ransomware Gang, and Blockbit in mid-2022. The FBI has been closely monitoring Karakurt's activities, using commercial cryptocurrency tracing software to track ransom payments. This led to the unmasking of one member after a bitcoin payment to Karakurt was traced back to a wallet owned by the individual. The Bureau also discovered that Karakurt used Rocket.Chat, an open-source communications platform, to coordinate their activities. Despite attempts to distance themselves from Conti, recent attacks using the new names have been publicly linked back to Karakurt and Conti, indicating the continued threat posed by this group.

Description last updated: 2024-10-17T12:05:29.256Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
AvosLocker is a possible alias for Karakurt. AvosLocker is a type of malware, specifically ransomware, known for its malicious intent to exploit and damage computer systems. This software often infiltrates systems undetected through suspicious downloads, emails, or websites, subsequently causing disruption in operations, theft of personal info	4
Akira is a possible alias for Karakurt. Akira is a potent ransomware that has been active since 2023, known for its aggressive encryption tactics and swift deployment. This malware, which brings a unique '80s aesthetic to the dark web, has quickly risen in prominence within the cybercrime landscape. It has targeted hundreds of victims glo	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Bitcoin

Ransomware

Extortion

Ransom

Encryption

Cybercrime

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Conti Malware is associated with Karakurt. Conti is a type of malware, specifically ransomware, which is designed to infiltrate and damage computer systems. This malicious software can enter systems through various methods such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal persona	Unspecified	4
The Lockbit Malware is associated with Karakurt. LockBit is a prominent ransomware-as-a-service (RaaS) malware that has been involved in numerous cyberattacks, demonstrating its staying power and adaptability. The malware, which can infiltrate systems through suspicious downloads, emails, or websites, is designed to exploit and damage computers or	Unspecified	3
The Hive Malware is associated with Karakurt. Hive is a form of malware, specifically ransomware, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Hive can steal personal information, disrupt operations, or hold data hostag	Unspecified	3
The Clop Malware is associated with Karakurt. Clop, a malicious software (malware), is linked to a Russian-speaking cybercriminal group also known as Cl0p. It is designed to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data hostage for ransom. In May 2023, the Clop group began exploitin	Unspecified	2
The Blackbasta Malware is associated with Karakurt. BlackBasta is a notorious malware group that has emerged as a significant player in the ransomware space. The group has demonstrated an ability to adapt and evolve their tactics, making them a leading entity in the Russian-language ransomware domain. Initially, BlackBasta was observed using a botnet	Unspecified	2
The Black Basta Malware is associated with Karakurt. Black Basta is a notorious malware group known for its sophisticated ransomware attacks, which have targeted numerous high-profile entities. The group has demonstrated a remarkable ability to adapt their tactics, techniques, and procedures (TTPs), allowing them to effectively evade security defenses	Unspecified	2
The Snatch Malware is associated with Karakurt. Snatch is a type of malware, specifically a ransomware, that poses significant threats to digital security. This malicious software infiltrates systems typically via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, Snatch can cause extensive damage, inc	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Blackbyte Threat Actor is associated with Karakurt. BlackByte, a threat actor believed to be an offshoot of the notorious Conti group, has been observed by cybersecurity experts exploiting a recently disclosed VMware ESXi vulnerability (CVE-2024-37085) to gain control over virtual machines and escalate privileges within compromised environments. This	Unspecified	2
The BianLian Threat Actor is associated with Karakurt. BianLian is a threat actor that has been active in cybercrime, leveraging various techniques for malicious intent. Prior to January 2024, the group used an encryptor (encryptor.exe) that modified all encrypted files to have the .bianlian extension and created a ransom note in each affected directory	Unspecified	2
The Vice Society Threat Actor is associated with Karakurt. Vice Society, a threat actor or hacking team with malicious intent, has been active since 2022 and has made significant waves in the cybersecurity world. The group is known for deploying various forms of ransomware, including BlackCat, Quantum Locker, Zeppelin, and their own branded variant of Zeppe	Unspecified	2

Source Document References

Information about the Karakurt Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
BankInfoSecurity	4 months ago	Karakurt Ransomware Group Suspect Appears in US Courtroom
Securityaffairs	4 months ago	Member of cybercrime group Karakurt charged in the US
CERT-EU	a year ago	Hstoday Joint Advisory by FBI, CISA, Treasury, and FinCEN Sheds Light on Karakurt Data Extortion Group’s Evolving Tactics \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	a year ago	Follow-On Extortion Campaign Targeting Victims of Akira and Royal Ransomware \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	a year ago	Hackers Impersonate as Security Researcher Aid Ransom Victims \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	a year ago	Ransomware victims targeted in follow-on extortion attacks
CERT-EU	2 years ago	Threat Spotlight: Triple Extortion Ransomware
CERT-EU	a year ago	Ransomware increases 64% in second quarter of 2023
CERT-EU	2 years ago	Critical infrastructure organizations the target of more than half of ransomware attacks
BankInfoSecurity	a year ago	Ransomware Groups' Latest Tactic: Weaponized Marketing
CERT-EU	a year ago	How ransomware gangs are engaging -- and using -- the media \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
MITRE	a year ago	An In-Depth Look at Black Basta Ransomware
CERT-EU	a year ago	Encryption-less ransomware: Warning issued over emerging attack method for threat actors - TechCentral.ie
CERT-EU	a year ago	Data theft extortion rises, while healthcare is still most-targeted vertical in Talos IR engagements
CERT-EU	a year ago	Mass exploitation attempts against WS_FTP have begun
CERT-EU	a year ago	Time keeps on slippin’ slippin’ slippin’: The 2023 Active Adversary Report for Tech Leaders
CERT-EU	a year ago	Microsoft: Human-operated ransomware attacks tripled over past year
CERT-EU	a year ago	Zscaler uncovers increasing complexity and sophistication of ransomware \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	2 years ago	Ransomware research reveals 12 vulnerabilities newly associated with ransomware in Q1 2023
CERT-EU	2 years ago	BianLian Ransomware: The Dangerous Shift Toward Pure Data Extortion