Karakurt Ransomware: Everything About The Extortion Group

In this article, we’ll explain the elusive threat posed by the Karakurt data extortion group, an emerging ransomware gang also recognized as the Karakurt Team and Karakurt Lair. Here you can learn how to prepare your business against this cyber threat with preventive measures, understand the importance of backups, and recognize the role of malware recovery services.

SalvageData experts recommend proactive data security measures, such as regular backups, strong cybersecurity practices, and keeping software up to date, to protect against malware attacks. And, in case of a malware attack, contact our malware recovery experts immediately.

What kind of threat is Karakurt?

The Karakurt is a ransomware gang that employs various tactics, techniques, and procedures (TTPs), posing challenges to defense and mitigation efforts. Instead of encrypting compromised machines or files, as most ransomware does, Karakurt actors claim to steal data and threaten to auction or release it publicly unless a ransom is paid. Ransom demands, typically in Bitcoin, range from $25,000 to $13,000,000, with payment deadlines within a week of initial contact.

Everything we know about Karakurt ransomware

Confirmed Name

• Karakurt virus

Threat Type

• Ransomware
• Extortion
• Data leak

Detection names

• Avast Win64:Malware-gen
• Emsisoft Gen:Variant.Lazy.198080 (B)
• Kaspersky Trojan.Win64.Shelma.uja
• Malwarebytes Malware.AI.4116296864
• Microsoft VirTool:Win64/CobaltStrike.A

Distribution methods

• Outdated SonicWall VPN appliances
• Phishing
• Apache Logging Services vulnerability
• Malicious macros
• Stolen virtual private network (VPN) credentials
• Stolen Remote Desktop Protocol (RDP) credentials
• Outdated Fortinet FortiGate SSL VPN
• Outdated Microsoft Windows Server

Consequences

• Open door for new infections
• Data leakage

Karakurt Ransomware methods of infection and execution

Karakurt actors present proof of stolen data, often through screenshots or copies of file directories. They go beyond targeting the victim by contacting employees, business partners, and clients with harassing emails and phone calls, pressuring cooperation. These communications include examples of stolen data, such as social security numbers and payment accounts. Upon ransom payment, Karakurt actors offer evidence of file deletion and occasionally provide insights into the initial intrusion.

Until January 5, 2022, the group operated a leaks and auction website at https://karakurt[.]group. Although the original domain and IP address went offline in spring 2022, the website reportedly exists in the deep and dark web. As of May 2022, it housed terabytes of data from North American and Europe victims, “press releases” naming non-cooperating victims, and instructions for participating in data auctions.

Initial access

Karakurt exhibits a lack of specific targeting, focusing on obtaining access to victim devices through multiple means. This includes purchasing stolen login credentials, collaborating with cybercrime partners to access compromised victims, or acquiring access via third-party intrusion brokers. Intrusion brokers are individuals or groups who gain initial access to protected computer systems, establishing marketable persistence and selling this access to other cybercriminals.

Common vulnerabilities exploited during initial access include:

Outdated SonicWall SSL VPN Appliances

These appliances are vulnerable to multiple recent CVEs (Common Vulnerabilities and Exposures), critical vulnerabilities that allow remote code execution. Attackers exploit these weaknesses to gain unauthorized access.

Log4j Vulnerabilities (CVE-2021-44228)

The Log4Shell vulnerability in the Apache Logging Services (Log4j) allows attackers to execute arbitrary code remotely. Karakurt leverages this vulnerability for initial access.

Phishing Attacks

Phishing involves deceptive emails or messages that trick recipients into revealing sensitive information or clicking on malicious links.

Karakurt actors use phishing and spearphishing techniques to trick victims into revealing sensitive information or clicking on malicious links.

Malicious Macros in Email Attachments

Karakurt spreads via email attachments containing malicious macros, malicious scripts embedded in files (e.g., Word documents). When victims open these attachments, the macros execute code that grants the attacker access.

Stolen VPN or RDP Credentials

The ransomware group targets Virtual Private Network (VPN) or Remote Desktop Protocol (RDP) credentials. If these credentials are compromised, attackers gain direct access to the victim’s network.

Vulnerabilities in Fortinet FortiGate SSL VPN Appliances or Microsoft Windows Server Instances

Exploiting known vulnerabilities in Fortinet FortiGate SSL VPN appliances or Microsoft Windows Server instances allows Karakurt to infiltrate networks.

Persistence and Exfiltration

Once within a compromised system, Karakurt employs Cobalt Strike beacons for network enumeration, Mimikatz for retrieving plain-text credentials, AnyDesk for persistent remote control, and additional tools to escalate privileges and move laterally within the network. Subsequently, they use tools like 7zip, Filezilla, rclone, and Mega.nz to compress and exfiltrate large amounts of data, often exceeding 1 terabyte, from network-connected shared drives.

Extortion

After data exfiltration, Karakurt initiates an extortion phase. Victims receive ransom notes through “readme.txt” files, emails sent via compromised email networks, and external email accounts. Victims report extensive harassment campaigns, with employees, partners, and clients receiving warnings to encourage negotiation.

The gang has targeted victims simultaneously attacked by other ransomware variants or previously attacked victims, indicating the potential purchase of stolen data. The group has been known to exaggerate the extent of compromise and data value, making false claims about the volume of stolen data or its ownership. The U.S. government strongly advises against paying ransoms to Karakurt or any cybercriminals promising file deletion in exchange for payment.

Do not pay the ransom! Contacting a ransomware recovery service can not only restore your files but also remove any potential threat.

Karakurt ransomware Indicators of Compromise (IOCs)

Indicators of Compromise (IOCs) are artifacts observed on a network or in an operating system that indicate a computer intrusion with high confidence. IOCs can be used for early detection of future attack attempts using intrusion detection systems and antivirus software.

They are essentially digital versions of evidence left at a crime scene, and potential IOCs include unusual network traffic, privileged user logins from foreign countries, strange DNS requests, system file changes, and more. When an IOC is detected, security teams evaluate possible threats or validate its authenticity. IOCs also provide evidence of what an attacker had access to if they did infiltrate the network.

Karakurt ransom note

The Karakurt extortion notes threaten public release or auction of the stolen data. Victims are directed to a TOR URL with an access code, enabling negotiation through a chat application.

Negotiating victims receive “proof of life,” such as screenshots or copies of allegedly stolen data. Upon agreement on the ransom amount, the threat actors provide a new Bitcoin address for payment. Upon receiving the ransom, alleged proof of file deletion is provided, such as screen recordings or deletion logs. While Karakurt’s leverage lies in promising data deletion and confidentiality, victims have reported breaches of confidentiality post-payment.

How to handle a Karakurt ransomware attack

The first step to recovering from a Karakurt ransomware attack is to isolate the infected computer by disconnecting it from the internet and removing any connected device. Then, you must contact local authorities. In the case of US residents and businesses, it is the FBI and the Internet Crime Complaint Centre (IC3).

To report a malware attack you must gather every information you can about it, including:

• Screenshots of the ransom note
• Communications with threat actors (if you have them)
• A sample of an encrypted file

However, if you prefer to contact professionals, then it’s best to leave every infected machine the way it is and ask for an emergency ransomware removal service. These professionals are equipped to quickly mitigate the damage, gather evidence, potentially reverse the encryption, and restore the system.

Restarting or shutting down the system may compromise the recovery service. Capturing the RAM of a live system may help get the encryption key, and catching a dropper file, such as a file executing the malicious payload, might be reverse-engineered and lead to decryption of the data or understanding how it operates.

You must not delete the ransomware, and keep every evidence of the attack. That’s important for digital forensics experts to trace back to the hacker group and identify them. It is by using the data on your infected system that authorities can investigate the attack. A cyber attack investigation is not different from any other criminal investigation: it needs evidence to find the attackers.

1. Contact your Incident Response provider

A Cyber Incident Response is the process of responding to and managing a cybersecurity incident. An Incident Response Retainer is a service agreement with a cybersecurity provider that allows organizations to get external help with cybersecurity incidents. It provides organizations with a structured form of expertise and support through a security partner, enabling them to respond quickly and effectively during a cyber incident.

An incident response retainer offers peace of mind to organizations, offering expert support before and in the aftermath of a cybersecurity incident. An incident response retainer’s specific nature and structure will vary according to the provider and the organization’s requirements. A good incident response retainer should be robust but flexible, providing proven services to enhance an organization’s long-term security posture.

If you contact your IR service provider, they can take over immediately and guide you through every step in the ransomware recovery. However, if you decide to remove the malware yourself and recover the files with your IT team, then you can follow the next steps.

2. Use a backup to restore the data

The importance of backup for data recovery cannot be overstated, especially in the context of various potential risks and threats to data integrity.

Backups are a critical component of a comprehensive data protection strategy. They provide a means to recover from a variety of threats, ensuring the continuity of operations and preserving valuable information. In the face of ransomware attacks, where malicious software encrypts your data and demands payment for its release, having a backup allows you to restore your information without succumbing to the attacker’s demands.

Make sure to regularly test and update your backup procedures to enhance their effectiveness in safeguarding against potential data loss scenarios. There are several ways to make a backup, so you must choose the right backup medium and have at least one copy of your data stored offsite and offline.

3. Contact a malware recovery service

If you don’t have a backup or need help removing the malware and eliminating vulnerabilities, contact a data recovery service. Paying the ransom does not guarantee your data will be returned to you. The only guaranteed way you can restore every file is if you have a backup. If you don’t, ransomware data recovery services can help you decrypt and recover the files.

SalvageData experts can safely restore your files and prevent Karakurt ransomware from attacking your network again, contact our recovery experts 24/7.

Prevent the Karakurt ransomware attack

Preventing malware is the best solution for data security. is easier and cheaper than recovering from them. A ransomware attack can cost your business’s future and even close its doors.

These are a few tips to ensure you can avoid malware attacks:

• Keep your operating system and software up-to-date with the latest security patches and updates. This can help prevent vulnerabilities that can be exploited by attackers.
• Use strong and unique passwords for all accounts and enable two-factor authentication whenever possible. This can help prevent attackers from gaining access to your accounts.
• Be cautious of suspicious emails, links, and attachments. Do not open emails or click on links or attachments from unknown or suspicious sources.
• Use reputable antivirus and anti-malware software and keep it up-to-date. This can help detect and remove malware before it can cause damage.
• Use a firewall to block unauthorized access to your network and systems.
• Network segmentation to divide a larger network into smaller sub-networks with limited interconnectivity between them. It restricts attacker lateral movement and prevents unauthorized users from accessing the organization’s intellectual property and data.
• Limit user privileges to prevent attackers from gaining access to sensitive data and systems.

Educate employees and staff on how to recognize and avoid phishing emails and other social engineering attacks.