Karakurt

Malware Profile Updated 13 days ago
Download STIX
Preview STIX
Karakurt is a notorious malware and data extortion group, previously affiliated with ITG23, known for its sophisticated tactics, techniques, and procedures (TTPs). The group's operations involve stealing sensitive data from compromised systems and demanding ransoms ranging from $25,000 to a staggering $13 million in Bitcoin. Unlike typical ransomware attacks, victims of Karakurt have not reported the encryption of compromised machines or files. Instead, they have been provided with screenshots or copies of stolen file directories as evidence of the breach. In some instances, upon receiving ransom payments, Karakurt actors have provided proof of file deletion and brief explanations of the initial intrusion. The year 2023 saw a significant rise in data theft extortion incidents, with Karakurt featuring prominently alongside other groups like Clop and RansomHouse. This type of cyber threat accounted for 30 percent of all threats responded to by Talos IR, marking a 25 percent increase compared to the previous quarter. Notably, healthcare industry victims surged in April, with Karakurt accounting for seven victims. Prior to January 5, 2022, Karakurt operated a leaks and auction website, further highlighting their extensive involvement in data extortion. In response to the growing threat posed by Karakurt, U.S. agencies including the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), and the Financial Crimes Enforcement Network (FinCEN) have issued a comprehensive Cybersecurity Advisory (CSA) to raise awareness about the group. Furthermore, research published in 2021 revealed Karakurt's re-extortion attempts on victims that had previously been targeted in ransomware attacks by another cybercrime syndicate, Conti. These follow-on extortion attempts are not new to attacks associated with Conti and Karakurt, indicating an evolving and persistent cyber threat landscape.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
AvosLocker
3
AvosLocker is a type of malware, specifically ransomware, that poses significant threats to computer systems and networks. Ransomware is a malicious software designed to block access to a computer system until a sum of money is paid. AvosLocker infiltrates systems through suspicious downloads, email
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Encryption
Bitcoin
Extortion
Ransom
Cybercrime
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ContiUnspecified
4
Conti is a malware program known for its disruptive capabilities, including stealing personal information and holding data hostage for ransom. It gained notoriety as part of the arsenal of ITG23, a cybercrime group that used it in conjunction with other malicious software like Trickbot, BazarLoader,
LockbitUnspecified
3
LockBit is a malicious software (malware) that has been implicated in several high-profile cyber attacks. It infiltrates systems through suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or hold data hostage for ransom. Recently, the L
HiveUnspecified
3
Hive, a form of malware, has been causing significant disruptions in the cybersecurity world. The malicious software infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. Notably, Volt Typhoon has exfilt
BlackbastaUnspecified
2
BlackBasta is a notorious malware group known for its ransomware attacks, which began in April 2022. The group primarily used SharpDepositorCrypter as the main loader for their ransomware throughout most of 2022. In addition to BlackBasta Ransomware, they have also utilized other malicious software
Black BastaUnspecified
2
Black Basta is a prolific malware, specifically a Ransomware-as-a-Service (RaaS) operator, originating from Russia. It is believed to be an offshoot of the notorious Conti ransomware group, which ceased operations just prior to Black Basta's emergence. The malware uses popular initial access techniq
SnatchUnspecified
2
Snatch is a type of malware, specifically ransomware, known for its malicious intent to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or
ClopUnspecified
2
Clop is a type of malware, specifically a ransomware, known for its destructive capabilities in exploiting and damaging computer systems. It can infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it has the potential to steal personal inform
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Vice SocietyUnspecified
2
Vice Society, a threat actor known for its malicious cyber activities, has been identified as a significant player in the deployment of ransomware attacks. Notably active from 2022 through May 2023, Vice Society executed multi-extortion strategies, targeting various sectors including education and h
BlackbyteUnspecified
2
BlackByte, a threat actor known for its malicious activities, has been on the radar of cybersecurity agencies since its emergence in July 2021. Notorious for targeting critical infrastructure, BlackByte attracted the attention of the Federal Bureau of Investigation (FBI) and the US Secret Service (U
BianlianUnspecified
2
BianLian is a recognized threat actor known for its malicious activities in the cybersecurity landscape. The group has been particularly active recently, demonstrating a significant capacity to exploit software vulnerabilities to their advantage. A recent series of ransomware attacks orchestrated by
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Karakurt Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
4 months ago
Hstoday Joint Advisory by FBI, CISA, Treasury, and FinCEN Sheds Light on Karakurt Data Extortion Group’s Evolving Tactics | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
SecurityIntelligence.com
a year ago
The Trickbot/Conti Crypters: Where Are They Now?
CERT-EU
10 months ago
Tennessee Heart Clinic Tells 170,000 of Hacking, Data Breach
CERT-EU
10 months ago
Data theft extortion rises, while healthcare is still most-targeted vertical in Talos IR engagements
BankInfoSecurity
10 months ago
Tennessee Heart Clinic Tells 170,000 of Hacking, Data Breach
BankInfoSecurity
a year ago
Stung by Free Decryptor, Ransomware Group Embraces Extortion
CERT-EU
5 months ago
How ransomware gangs are engaging -- and using -- the media | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
BankInfoSecurity
7 months ago
Victim Count Doubles in Heart Institute Data Theft Hack
CERT-EU
4 months ago
Follow-On Extortion Campaign Targeting Victims of Akira and Royal Ransomware | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
10 months ago
Encryption-less ransomware: Warning issued over emerging attack method for threat actors - TechCentral.ie
CERT-EU
10 months ago
Akira Ransomware Racks Up at Least 63 Victims in 4 Months
CERT-EU
7 months ago
Victim Count Doubles in Heart Institute Data Theft Hack
CERT-EU
4 months ago
Ransomware victims targeted in follow-on extortion attacks
CERT-EU
a year ago
BianLian Ransomware: The Dangerous Shift Toward Pure Data Extortion
CERT-EU
7 months ago
Microsoft: Human-operated ransomware attacks tripled over past year
CERT-EU
8 months ago
FBI Warns Organizations of Dual Ransomware, Wiper Attacks
Malwarebytes
7 months ago
FBI warns of multiple ransomware attacks on same victim
CERT-EU
a year ago
GRIT Ransomware Report: April 2023
CERT-EU
a year ago
Zscaler 2023 Ransomware Report Shows a Nearly 40% Increase | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
Securityaffairs
8 months ago
FBI warns of dual ransomware attacks