Karakurt

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

Karakurt is a notorious malware and data extortion group, previously affiliated with ITG23, known for its sophisticated tactics, techniques, and procedures (TTPs). The group's operations involve stealing sensitive data from compromised systems and demanding ransoms ranging from $25,000 to a staggering $13 million in Bitcoin. Unlike typical ransomware attacks, victims of Karakurt have not reported the encryption of compromised machines or files. Instead, they have been provided with screenshots or copies of stolen file directories as evidence of the breach. In some instances, upon receiving ransom payments, Karakurt actors have provided proof of file deletion and brief explanations of the initial intrusion. The year 2023 saw a significant rise in data theft extortion incidents, with Karakurt featuring prominently alongside other groups like Clop and RansomHouse. This type of cyber threat accounted for 30 percent of all threats responded to by Talos IR, marking a 25 percent increase compared to the previous quarter. Notably, healthcare industry victims surged in April, with Karakurt accounting for seven victims. Prior to January 5, 2022, Karakurt operated a leaks and auction website, further highlighting their extensive involvement in data extortion. In response to the growing threat posed by Karakurt, U.S. agencies including the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), and the Financial Crimes Enforcement Network (FinCEN) have issued a comprehensive Cybersecurity Advisory (CSA) to raise awareness about the group. Furthermore, research published in 2021 revealed Karakurt's re-extortion attempts on victims that had previously been targeted in ransomware attacks by another cybercrime syndicate, Conti. These follow-on extortion attempts are not new to attacks associated with Conti and Karakurt, indicating an evolving and persistent cyber threat landscape.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
AvosLocker	3	AvosLocker is a type of malware, specifically a ransomware, that has been causing significant issues across the digital landscape. Ransomware is a form of malicious software designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites without
Zeon	1	Zeon, a known threat actor in the cybersecurity landscape, has been linked to several high-profile ransomware attacks. It was instrumental in crypting SVCReady and CargoBay loaders, observed in Quantum and Royal ransomware attacks respectively. Zeon has also employed third-party ransomware such as B

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Bitcoin

Extortion

Ransom

Cybercrime

Encryption

Data Leak

Treasury

Phishing

Moveit

Sonicwall

Microsoft

Sophos

Apt

Malware

Zscaler

Crypter

Talos

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Conti	Unspecified	4	Conti is a type of malware, specifically ransomware, known for its ability to disrupt operations, steal personal information, and hold data hostage for ransom. The malicious software infiltrates systems via suspicious downloads, emails, or websites, often unbeknownst to the user. It has been used in
Lockbit	Unspecified	3	LockBit is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It can enter your system through various channels such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
Hive	Unspecified	3	Hive is a malicious software, or malware, that infiltrates systems to exploit and damage them. This malware has been associated with Volt Typhoon, who exfiltrated NTDS.dit and SYSTEM registry hive to crack passwords offline. The Hive operation was primarily involved in port scanning, credential thef
Blackbasta	Unspecified	2	BlackBasta is a malicious software (malware) known for its disruptive and damaging effects on computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even ho
Snatch	Unspecified	2	Snatch is a type of malware, specifically ransomware, designed to infiltrate systems undetected, often through suspicious downloads, emails, or websites. Once inside the system, it can wreak havoc by stealing personal information, disrupting operations, or holding data hostage for ransom. The Snatch
Black Basta	Unspecified	2	Black Basta is a notorious malware entity known for its devastating ransomware attacks. First emerging in June 2022, the group has since been associated with a series of high-profile cyber-attacks worldwide. This malware, like others, infiltrates systems through suspicious downloads, emails, or webs
Clop	Unspecified	2	Clop is a notorious malware, short for malicious software, known for its disruptive and damaging effects on computer systems. It primarily infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Clop can steal personal information, disrupt o
REvil	Unspecified	1	REvil is a notorious form of malware, specifically ransomware, that infiltrates systems to disrupt operations and steal data. The ransomware operates on a Ransomware as a Service (RaaS) model, which gained traction in 2020. In this model, REvil, like other first-stage malware such as Dridex and Goot
Diavol	Unspecified	1	Diavol is a type of malware, specifically ransomware, that infiltrates systems to exploit and cause damage. It can infect systems through various channels such as suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Diavol can steal personal information, disrupt ope
Akira	Unspecified	1	Akira is a malicious software, or malware, specifically a type of ransomware known for its disruptive and damaging effects. First surfacing in late 2023, it has continued to wreak havoc on various entities, including corporations and industries. This ransomware infects systems through suspicious dow
Bazarloader	Unspecified	1	BazarLoader is a form of malware that has been utilized extensively by ITG23, a cybercriminal group. This harmful software infiltrates systems via suspicious downloads, emails, or websites, potentially stealing personal information, disrupting operations, or holding data for ransom. ITG23 has used B
Bazarbackdoor	Unspecified	1	BazarBackdoor is a type of malware developed by ITG23, first identified in April 2020. It is commonly distributed via contact forms on corporate websites, bypassing regular phishing emails, which makes it harder to detect. The malware is often associated with BazarLoader, both of which were used ext
QakBot	Unspecified	1	Qakbot is a potent malware, a malicious software designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it has the potential to steal personal information, disrupt operations, or e
Forest	Unspecified	1	Forest is a potent malware that leverages the Golden Ticket, an authentication ticket (TGT), to gain domain-wide access. It exploits the TGT to acquire service tickets (TGS) used for accessing resources across the entire domain and the Active Directory (AD) forest by leveraging SID History. The malw
Babuk	Unspecified	1	Babuk is a type of malware, specifically ransomware, which is designed to infiltrate systems and hold data hostage for ransom. It can be delivered through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, Babuk can disrupt operations and steal perso

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Blackbyte	Unspecified	2	BlackByte, a threat actor known for its malicious activities, has been on the radar of cybersecurity agencies since its emergence in July 2021. Notorious for targeting critical infrastructure, BlackByte attracted the attention of the Federal Bureau of Investigation (FBI) and the US Secret Service (U
Vice Society	Unspecified	2	Vice Society, a threat actor group known for its malicious activities, has been linked to a series of ransomware attacks targeting various sectors, most notably education and healthcare. Throughout 2022 and the first half of 2023, Vice Society, along with Royal Ransomware, were actively executing mu
Bianlian	Unspecified	2	BianLian is a threat actor that has been increasingly active in cybercrimes. The group is known for its malicious activities, including the execution of actions with harmful intent. In a series of recent events, BianLian has exploited vulnerabilities in JetBrains TeamCity, a continuous integration a
ITG23	Unspecified	1	ITG23, also known as the Trickbot/Conti syndicate, is a significant threat actor that has been active since 2016 in the East European cybercrime arena. This group is renowned for its use of Reflective DLL Injection code in many of its crypters, with the presence of these crypters on a file sample be
Scattered Spider	Unspecified	1	Scattered Spider is a prominent threat actor group involved in cybercrime activities with malicious intent. The group employs various tactics to compromise its targets, including phishing for login credentials, searching SharePoint repositories for sensitive information, and exploiting infrastructur
Alphv	Unspecified	1	AlphV, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. This group has been involved in numerous high-profile attacks, including stealing 5TB of data from Morrison Community Hospital and compromising Clarion, a global manufacturer of audio and video equipment for car
Rhysida	Unspecified	1	Rhysida, a threat actor known for executing malicious cyber activities, has been responsible for numerous ransomware attacks. The group has primarily targeted businesses and healthcare organizations, with notable instances including a disruptive attack on Ann & Robert H. Lurie Children's Hospital of
Lapsus	Unspecified	1	Lapsus is a significant threat actor that has been active since its inception in early 2022. The group gained notoriety for its cyberattacks, including a high-profile breach of Nvidia, an American multinational technology company, in the same year. This attack led to the leak of thousands of passwor

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Lockbit Medusa Vice Society	Unspecified	1	None

Source Document References

Information about the Karakurt Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
CERT-EU	6 months ago	Hstoday Joint Advisory by FBI, CISA, Treasury, and FinCEN Sheds Light on Karakurt Data Extortion Group’s Evolving Tactics \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	6 months ago	Follow-On Extortion Campaign Targeting Victims of Akira and Royal Ransomware \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	6 months ago	Hackers Impersonate as Security Researcher Aid Ransom Victims \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	7 months ago	Ransomware victims targeted in follow-on extortion attacks
CERT-EU	a year ago	Threat Spotlight: Triple Extortion Ransomware
CERT-EU	a year ago	Ransomware increases 64% in second quarter of 2023
CERT-EU	a year ago	Critical infrastructure organizations the target of more than half of ransomware attacks
BankInfoSecurity	7 months ago	Ransomware Groups' Latest Tactic: Weaponized Marketing
CERT-EU	7 months ago	How ransomware gangs are engaging -- and using -- the media \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
MITRE	7 months ago	An In-Depth Look at Black Basta Ransomware
CERT-EU	a year ago	Encryption-less ransomware: Warning issued over emerging attack method for threat actors - TechCentral.ie
CERT-EU	a year ago	Data theft extortion rises, while healthcare is still most-targeted vertical in Talos IR engagements
CERT-EU	10 months ago	Mass exploitation attempts against WS_FTP have begun
CERT-EU	10 months ago	Time keeps on slippin’ slippin’ slippin’: The 2023 Active Adversary Report for Tech Leaders
CERT-EU	10 months ago	Microsoft: Human-operated ransomware attacks tripled over past year
CERT-EU	a year ago	Zscaler uncovers increasing complexity and sophistication of ransomware \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	a year ago	Ransomware research reveals 12 vulnerabilities newly associated with ransomware in Q1 2023
CERT-EU	a year ago	BianLian Ransomware: The Dangerous Shift Toward Pure Data Extortion
CERT-EU	a year ago	2023 Ransomware Attacks: First-Quarter Highlights
SecurityIntelligence.com	a year ago	The Trickbot/Conti Crypters: Where Are They Now?