Karakurt

Malware updated 21 days ago (2024-08-23T20:19:22.011Z)
Download STIX
Preview STIX
Karakurt is a malicious software (malware) utilized by cybercriminals for data theft and extortion. It was revealed as the data extortion arm of the Conti cybercrime syndicate, with links to ITG23 affiliates. Karakurt has been associated with numerous attacks, including those carried out by Quantum, Royal, Zeon, BlackBasta, and others. It has also been linked to the use of the Ligolo-NG tunneling tool via the Forest crypter. The malware gained prominence in 2023 when it accounted for a significant number of victims in the healthcare industry. In addition to this, the group behind Karakurt maintained access to various crypters, indicating their sustained capabilities in cybercrime. The Karakurt group typically gives its victims one week to pay a ransom, which can range from $25,000 to an enormous $13 million in Bitcoin. This method of data theft extortion was the top observed threat in recent quarters, accounting for 30% of threats responded to by Talos IR, marking a 25% increase in such incidents compared to the previous quarter. To ensure credibility and urgency, Karakurt actors often provide screenshots or copies of stolen file directories as evidence of compromised data. Upon receiving ransom payments, they sometimes provide proof of file deletion and occasionally offer a brief explanation of the initial intrusion. In a significant development, Deniss Zolotarjovs, a Russian national and active member of the Karakurt cybercrime gang, was charged in a U.S. court for his role in the group. Zolotarjovs was involved in communication with other members, laundering cryptocurrency received from victims, and extorting victims. His arrest and extradition to the United States marked the first time a member of the Karakurt group has been apprehended. Prior to January 5, 2022, Karakurt operated a leaks and auction website, further highlighting the group's extensive cybercriminal activities.
Description last updated: 2024-08-23T20:15:44.407Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
AvosLocker
4
AvosLocker is a type of malware, specifically ransomware, known for its malicious intent to exploit and damage computer systems. This software often infiltrates systems undetected through suspicious downloads, emails, or websites, subsequently causing disruption in operations, theft of personal info
Akira
2
Akira is a malicious software known for its persistent and damaging attacks on various systems. This ransomware has been active since at least 2023, as reported by Sophos, and it operates by infiltrating systems often through suspicious downloads, emails, or websites, encrypting data, and demanding
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Bitcoin
Ransomware
Extortion
Ransom
Encryption
Cybercrime
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
ContiUnspecified
4
Conti is a notorious malware and ransomware operation that has caused significant damage to computer systems worldwide. The Conti group, believed to have around 200 employees, operated like a regular business, with internal communications revealing the organization's structure and operations. It was
LockbitUnspecified
3
LockBit is a prominent malware that has been causing havoc in the cyber world. It is a ransomware, a type of malicious software designed to exploit and damage systems, often infiltrating through suspicious downloads, emails, or websites. Once inside, it can steal personal information, disrupt operat
HiveUnspecified
3
Hive is a malicious software (malware) that has been used by the cybercriminal group, Hunters International, to launch ransomware attacks since October of last year. The group operates as a ransomware-as-a-service (RaaS) provider, spreading Hive rapidly through collaborations with less sophisticated
ClopUnspecified
2
Clop is a form of malware, specifically ransomware, known for its disruptive and damaging capabilities. It is designed to infiltrate systems through various means such as suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, Clop can steal personal informati
BlackbastaUnspecified
2
BlackBasta is a notorious malware entity known for its malicious software attacks, often in the form of ransomware. The group has been linked to various forms of malware, including IcedID, NetSupport, Gozi, PikaBot, Pushdo, Quantum, Royal, and Nokoyawa. BlackBasta's operations have been significant
Black BastaUnspecified
2
Black Basta is a notorious malware group known for its ransomware activities. The group has been active since at least early 2022, during which time it has accumulated an estimated $107 million in Bitcoin ransom payments. It leverages malicious software to infiltrate and exploit computer systems, of
SnatchUnspecified
2
Snatch is a type of malware, specifically a ransomware, that poses significant threats to digital security. This malicious software infiltrates systems typically via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, Snatch can cause extensive damage, inc
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
IDTypeVotesProfile Description
BlackbyteUnspecified
2
BlackByte, a threat actor believed to be an offshoot of the notorious Conti group, has been observed by cybersecurity experts exploiting a recently disclosed VMware ESXi vulnerability (CVE-2024-37085) to gain control over virtual machines and escalate privileges within compromised environments. This
BianlianUnspecified
2
BianLian is a significant threat actor within the cybersecurity landscape, known for its malicious activities and cyber-attacks. The group has been particularly active in exploiting bugs in JetBrains TeamCity, a popular continuous integration and deployment system used by software development teams.
Vice SocietyUnspecified
2
Vice Society, a threat actor group known for its malicious activities, has been linked to a series of ransomware attacks targeting various sectors, most notably education and healthcare. Throughout 2022 and the first half of 2023, Vice Society, along with Royal Ransomware, were actively executing mu
Source Document References
Information about the Karakurt Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
BankInfoSecurity
21 days ago
Karakurt Ransomware Group Suspect Appears in US Courtroom
Securityaffairs
21 days ago
Member of cybercrime group Karakurt charged in the US
CERT-EU
8 months ago
Hstoday Joint Advisory by FBI, CISA, Treasury, and FinCEN Sheds Light on Karakurt Data Extortion Group’s Evolving Tactics | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
8 months ago
Follow-On Extortion Campaign Targeting Victims of Akira and Royal Ransomware | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
8 months ago
Hackers Impersonate as Security Researcher Aid Ransom Victims | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
8 months ago
Ransomware victims targeted in follow-on extortion attacks
CERT-EU
a year ago
Threat Spotlight: Triple Extortion Ransomware
CERT-EU
a year ago
Ransomware increases 64% in second quarter of 2023
CERT-EU
2 years ago
Critical infrastructure organizations the target of more than half of ransomware attacks
BankInfoSecurity
9 months ago
Ransomware Groups' Latest Tactic: Weaponized Marketing
CERT-EU
9 months ago
How ransomware gangs are engaging -- and using -- the media | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
MITRE
9 months ago
An In-Depth Look at Black Basta Ransomware
CERT-EU
a year ago
Encryption-less ransomware: Warning issued over emerging attack method for threat actors - TechCentral.ie
CERT-EU
a year ago
Data theft extortion rises, while healthcare is still most-targeted vertical in Talos IR engagements
CERT-EU
a year ago
Mass exploitation attempts against WS_FTP have begun
CERT-EU
a year ago
Time keeps on slippin’ slippin’ slippin’: The 2023 Active Adversary Report for Tech Leaders
CERT-EU
a year ago
Microsoft: Human-operated ransomware attacks tripled over past year
CERT-EU
a year ago
Zscaler uncovers increasing complexity and sophistication of ransomware | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
a year ago
Ransomware research reveals 12 vulnerabilities newly associated with ransomware in Q1 2023
CERT-EU
a year ago
BianLian Ransomware: The Dangerous Shift Toward Pure Data Extortion