Karakurt

Malware updated 15 days ago (2024-08-23T20:19:22.011Z)
Download STIX
Preview STIX
Karakurt is a malicious software (malware) utilized by cybercriminals for data theft and extortion. It was revealed as the data extortion arm of the Conti cybercrime syndicate, with links to ITG23 affiliates. Karakurt has been associated with numerous attacks, including those carried out by Quantum, Royal, Zeon, BlackBasta, and others. It has also been linked to the use of the Ligolo-NG tunneling tool via the Forest crypter. The malware gained prominence in 2023 when it accounted for a significant number of victims in the healthcare industry. In addition to this, the group behind Karakurt maintained access to various crypters, indicating their sustained capabilities in cybercrime. The Karakurt group typically gives its victims one week to pay a ransom, which can range from $25,000 to an enormous $13 million in Bitcoin. This method of data theft extortion was the top observed threat in recent quarters, accounting for 30% of threats responded to by Talos IR, marking a 25% increase in such incidents compared to the previous quarter. To ensure credibility and urgency, Karakurt actors often provide screenshots or copies of stolen file directories as evidence of compromised data. Upon receiving ransom payments, they sometimes provide proof of file deletion and occasionally offer a brief explanation of the initial intrusion. In a significant development, Deniss Zolotarjovs, a Russian national and active member of the Karakurt cybercrime gang, was charged in a U.S. court for his role in the group. Zolotarjovs was involved in communication with other members, laundering cryptocurrency received from victims, and extorting victims. His arrest and extradition to the United States marked the first time a member of the Karakurt group has been apprehended. Prior to January 5, 2022, Karakurt operated a leaks and auction website, further highlighting the group's extensive cybercriminal activities.
Description last updated: 2024-08-23T20:15:44.407Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
AvosLocker
4
AvosLocker is a type of malware, specifically ransomware, known for its malicious intent to exploit and damage computer systems. This software often infiltrates systems undetected through suspicious downloads, emails, or websites, subsequently causing disruption in operations, theft of personal info
Akira
2
Akira is a malicious software or malware that has been causing significant damage to various organizations and systems worldwide. The ransomware, known for its persistent and harmful attacks, has successfully infiltrated numerous systems, often without the knowledge of the users, disrupting operatio
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Bitcoin
Ransomware
Extortion
Ransom
Encryption
Cybercrime
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
ContiUnspecified
4
Conti is a notorious malware and ransomware operation that has caused significant damage to computer systems worldwide. The Conti group, believed to have around 200 employees, operated like a regular business, with internal communications revealing the organization's structure and operations. It was
LockbitUnspecified
3
LockBit is a malicious software, or malware, that has been notably active and damaging in the cyber world. Known for its ability to infiltrate systems often without detection, it can steal personal information, disrupt operations, and even hold data hostage for ransom. In the first half of 2024, Loc
HiveUnspecified
3
Hive is a malicious software (malware) that has been used by the cybercriminal group, Hunters International, to launch ransomware attacks since October of last year. The group operates as a ransomware-as-a-service (RaaS) provider, spreading Hive rapidly through collaborations with less sophisticated
ClopUnspecified
2
Clop, also known as Cl0p, is a notorious ransomware group responsible for several high-profile cyberattacks. The group specializes in exploiting vulnerabilities in software and systems to gain unauthorized access, exfiltrate sensitive data, and then extort victims by threatening to release the stole
BlackbastaUnspecified
2
BlackBasta is a notorious malware, specifically ransomware, that has been associated with several high-profile cyber-attacks. This malicious software infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information,
Black BastaUnspecified
2
Black Basta is a notorious malware group known for its ransomware activities. The group has been active since at least early 2022, during which time it has accumulated an estimated $107 million in Bitcoin ransom payments. It leverages malicious software to infiltrate and exploit computer systems, of
SnatchUnspecified
2
Snatch is a type of malware, specifically a ransomware, that poses significant threats to digital security. This malicious software infiltrates systems typically via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, Snatch can cause extensive damage, inc
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
IDTypeVotesProfile Description
BlackbyteUnspecified
2
BlackByte, a threat actor believed to be an offshoot of the notorious Conti group, has been observed by cybersecurity experts exploiting a recently disclosed VMware ESXi vulnerability (CVE-2024-37085) to gain control over virtual machines and escalate privileges within compromised environments. This
BianlianUnspecified
2
BianLian is a significant threat actor within the cybersecurity landscape, known for its malicious activities and cyber-attacks. The group has been particularly active in exploiting bugs in JetBrains TeamCity, a popular continuous integration and deployment system used by software development teams.
Vice SocietyUnspecified
2
Vice Society, a threat actor group known for its malicious activities, has been linked to a series of ransomware attacks targeting various sectors, most notably education and healthcare. Throughout 2022 and the first half of 2023, Vice Society, along with Royal Ransomware, were actively executing mu
Source Document References
Information about the Karakurt Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
BankInfoSecurity
15 days ago
Karakurt Ransomware Group Suspect Appears in US Courtroom
Securityaffairs
15 days ago
Member of cybercrime group Karakurt charged in the US
CERT-EU
8 months ago
Hstoday Joint Advisory by FBI, CISA, Treasury, and FinCEN Sheds Light on Karakurt Data Extortion Group’s Evolving Tactics | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
8 months ago
Follow-On Extortion Campaign Targeting Victims of Akira and Royal Ransomware | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
8 months ago
Hackers Impersonate as Security Researcher Aid Ransom Victims | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
8 months ago
Ransomware victims targeted in follow-on extortion attacks
CERT-EU
a year ago
Threat Spotlight: Triple Extortion Ransomware
CERT-EU
a year ago
Ransomware increases 64% in second quarter of 2023
CERT-EU
2 years ago
Critical infrastructure organizations the target of more than half of ransomware attacks
BankInfoSecurity
9 months ago
Ransomware Groups' Latest Tactic: Weaponized Marketing
CERT-EU
9 months ago
How ransomware gangs are engaging -- and using -- the media | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
MITRE
9 months ago
An In-Depth Look at Black Basta Ransomware
CERT-EU
a year ago
Encryption-less ransomware: Warning issued over emerging attack method for threat actors - TechCentral.ie
CERT-EU
a year ago
Data theft extortion rises, while healthcare is still most-targeted vertical in Talos IR engagements
CERT-EU
a year ago
Mass exploitation attempts against WS_FTP have begun
CERT-EU
a year ago
Time keeps on slippin’ slippin’ slippin’: The 2023 Active Adversary Report for Tech Leaders
CERT-EU
a year ago
Microsoft: Human-operated ransomware attacks tripled over past year
CERT-EU
a year ago
Zscaler uncovers increasing complexity and sophistication of ransomware | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
a year ago
Ransomware research reveals 12 vulnerabilities newly associated with ransomware in Q1 2023
CERT-EU
a year ago
BianLian Ransomware: The Dangerous Shift Toward Pure Data Extortion