Karakurt

Malware updated a month ago (2024-10-17T13:02:12.129Z)
Download STIX
Preview STIX
Karakurt is a malicious software (malware) that has been linked to significant data extortion activities. The malware is affiliated with the notorious Conti cybercrime syndicate and ITG23, which are known for their disruptive operations, including data theft and ransom demands. In 2023, there was a notable increase in Karakurt victims from the healthcare industry, with the Full-time group Bianlian severely impacting 11 entities, followed by Lockbit and Karakurt affecting seven each. Other groups previously associated with ITG23, such as Karakurt, continue to operate, contributing to a 25 percent increase in data theft extortion incidents compared to the previous quarter. Karakurt's association with Conti is deep-seated, as evidenced by the crypto addresses identified as "Karakurt 1PLpQH3ntG," which received some ransoms paid to the group, including half of the first known Conti victim ransom payment in June 2020. Karakurt also hit a company based in Springfield, Missouri, in a shakedown in November 2021. However, due to the negative impact of their association with Conti on their returns, Karakurt members discussed changing their group's name to TommyLeaks, Schoolboys Ransomware Gang, and Blockbit in mid-2022. The FBI has been closely monitoring Karakurt's activities, using commercial cryptocurrency tracing software to track ransom payments. This led to the unmasking of one member after a bitcoin payment to Karakurt was traced back to a wallet owned by the individual. The Bureau also discovered that Karakurt used Rocket.Chat, an open-source communications platform, to coordinate their activities. Despite attempts to distance themselves from Conti, recent attacks using the new names have been publicly linked back to Karakurt and Conti, indicating the continued threat posed by this group.
Description last updated: 2024-10-17T12:05:29.256Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
AvosLocker is a possible alias for Karakurt. AvosLocker is a type of malware, specifically ransomware, known for its malicious intent to exploit and damage computer systems. This software often infiltrates systems undetected through suspicious downloads, emails, or websites, subsequently causing disruption in operations, theft of personal info
4
Akira is a possible alias for Karakurt. Akira is a potent ransomware that has been active since 2023, known for its aggressive encryption tactics and swift deployment. This malware, which brings a unique '80s aesthetic to the dark web, has quickly risen in prominence within the cybercrime landscape. It has targeted hundreds of victims glo
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Bitcoin
Ransomware
Extortion
Ransom
Encryption
Cybercrime
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Conti Malware is associated with Karakurt. Conti is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. Often spreading through suspicious downloads, emails, or websites, it can steal personal information, disrupt operations, or hold data hostage for ransom. Notably, Conti was linked to several raUnspecified
4
The Lockbit Malware is associated with Karakurt. LockBit is a malicious software, or malware, known for its damaging and exploitative functions. It infiltrates systems via dubious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or hold data hostage for ransom. The LockBit Unspecified
3
The Hive Malware is associated with Karakurt. Hive is a form of malware, specifically ransomware, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Hive can steal personal information, disrupt operations, or hold data hostagUnspecified
3
The Clop Malware is associated with Karakurt. Clop, a malicious software (malware), is linked to a Russian-speaking cybercriminal group also known as Cl0p. It is designed to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data hostage for ransom. In May 2023, the Clop group began exploitinUnspecified
2
The Blackbasta Malware is associated with Karakurt. BlackBasta is a notorious malware, particularly known for its ransomware attacks. The group behind it has been linked with other harmful software such as IcedID, NetSupport, Gozi, PikaBot, Pushdo, Quantum, Royal, and Nokoyawa. Artifacts and indicators of compromise (IoCs) suggest a possible relationUnspecified
2
The Black Basta Malware is associated with Karakurt. Black Basta is a notorious malware group known for its sophisticated ransomware attacks, which have targeted numerous high-profile entities. The group has demonstrated a remarkable ability to adapt their tactics, techniques, and procedures (TTPs), allowing them to effectively evade security defensesUnspecified
2
The Snatch Malware is associated with Karakurt. Snatch is a type of malware, specifically a ransomware, that poses significant threats to digital security. This malicious software infiltrates systems typically via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, Snatch can cause extensive damage, incUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Blackbyte Threat Actor is associated with Karakurt. BlackByte, a threat actor believed to be an offshoot of the notorious Conti group, has been observed by cybersecurity experts exploiting a recently disclosed VMware ESXi vulnerability (CVE-2024-37085) to gain control over virtual machines and escalate privileges within compromised environments. ThisUnspecified
2
The Bianlian Threat Actor is associated with Karakurt. BianLian is a threat actor group known for its malicious activities, primarily involving ransomware attacks. The group has been particularly active in 2024, exploiting bugs in JetBrains TeamCity software to launch its attacks. This method of attack has caused significant disruptions and data breacheUnspecified
2
The Vice Society Threat Actor is associated with Karakurt. Vice Society, a threat actor or hacking team with malicious intent, has been active since 2022 and has made significant waves in the cybersecurity world. The group is known for deploying various forms of ransomware, including BlackCat, Quantum Locker, Zeppelin, and their own branded variant of ZeppeUnspecified
2
Source Document References
Information about the Karakurt Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
BankInfoSecurity
3 months ago
Securityaffairs
3 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
CERT-EU
2 years ago
CERT-EU
a year ago
CERT-EU
2 years ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
MITRE
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
2 years ago
CERT-EU
2 years ago