Table of Contents
March 31, 2025
|
14m

Karakurt Extortion Group


A menacing spider crawling over documents symbolizes the stealthy nature of Karakurt data theft operations.

In the ever-evolving landscape of cyber threats, understanding the actors behind the attacks is as crucial as understanding the malware they deploy. One such entity that gained significant notoriety, particularly during 2022, is the Karakurt Extortion Group, also known sometimes as the Karakurt Team or Karakurt Lair. Unlike traditional ransomware gangs that focus on encrypting victim data, Karakurt specializes purely in data theft and subsequent extortion. They infiltrate networks, steal sensitive information, and then pressure victims into paying hefty ransoms under the threat of auctioning the data or releasing it publicly. This profile aims to provide security professionals with a comprehensive understanding of Karakurt's origins, tactics, targets, and effective defense strategies, drawing upon intelligence from various cybersecurity agencies and researchers.

Origins & Evolution

Discovery and Emergence: Karakurt emerged on the cybercrime scene around mid-2021 (specifically noted around August 2021). They quickly distinguished themselves by their unique modus operandi: data exfiltration followed by extortion, without deploying file-encrypting ransomware. Their activities prompted alerts from cybersecurity agencies, including a joint advisory from CISA, the FBI, the Department of Treasury, and FinCEN, highlighting the significant threat they posed.

Suspected Affiliations and Links: Significant research, including forensic investigations by firms like Tetra Defense and blockchain analysis by Chainalysis, has uncovered strong evidence suggesting operational links between Karakurt and the prolific Conti ransomware syndicate (tracked as GOLD ULRICK by some researchers). Evidence includes:

  • Shared Infrastructure: Instances where Karakurt used the same Cobalt Strike backdoors previously deployed by Conti in victim networks.

  • Overlapping TTPs: Similar tools and methods for exfiltration (e.g., WinSCP, creation of file-tree.txt manifests) and identical attacker hostnames observed in attacks linked to both groups.

  • Financial Connections: Direct cryptocurrency transactions identified between Karakurt-controlled wallets and Conti-associated wallets. Crucially, analysis revealed Karakurt victim payment addresses being hosted within the same cryptocurrency wallets that also held addresses used for Conti ransomware payments, indicating a shared financial infrastructure.

  • Diavol Links: Similar infrastructure and financial overlaps were also observed connecting Conti and the Diavol ransomware, with the Conti Leaks further suggesting Conti leadership oversaw Diavol's development. Karakurt's parallel emergence and similar links point towards it being part of Conti's broader operational ecosystem.

It's theorized that Karakurt may have represented a strategic diversification by the Conti group, possibly to enhance operational resilience, evade law enforcement scrutiny focused on ransomware encryption, or test alternative monetization models centered purely on data theft. While Karakurt operated with a degree of autonomy, the evidence points strongly towards it being, at minimum, a closely affiliated entity within the Conti sphere.

Evolution and Activity: Karakurt was highly active throughout 2022, claiming numerous victims across various sectors globally. Their dedicated leak site (karakurt[.]group, later moved to the dark web and reportedly went offline in Spring 2022, though activity continued) listed victims, featured "press releases" shaming non-payers, and provided instructions for data auctions. Activity appeared to decline in 2023, potentially impacted by law enforcement actions, including the arrest and subsequent extradition to the U.S. of a Latvian national in December 2023, charged in connection with Karakurt's activities. Despite this decline, speculation remains that former members may have transitioned to working as affiliates for other data theft or ransomware operations, highlighting the fluid nature of the cybercrime ecosystem. One example is the new ransomware attack.

Tactics & Techniques

Karakurt employs a multi-stage approach focused on gaining access, establishing persistence, harvesting credentials, exfiltrating large volumes of data, and finally, executing an aggressive extortion campaign.

Initial Access: Karakurt often appears opportunistic in its targeting, gaining initial footholds through various methods:

  • Exploiting Vulnerabilities: Targeting known vulnerabilities in internet-facing devices, particularly VPN appliances. Commonly exploited systems include outdated Fortinet FortiGate SSL VPNs/firewalls, SonicWall SSL VPNs (multiple CVEs cited in reports), and potentially Cisco AnyConnect VPNs (especially those lacking multi-factor authentication). The Log4j "Log4Shell" vulnerability (CVE-2021-44228) was also leveraged.

  • Stolen Credentials: Purchasing valid VPN or Remote Desktop Protocol (RDP) credentials from dark web marketplaces or initial access brokers.

  • Phishing: Utilizing phishing and spearphishing emails, sometimes containing malicious macros in attachments.

  • Partnerships: Collaborating with other cybercriminals who already possess access to target networks.

Network Reconnaissance, Persistence, and Lateral Movement: Once inside a network, Karakurt operators typically deploy legitimate tools and "living-off-the-land" techniques to explore the environment and escalate privileges:

  • Command and Control/Reconnaissance: Cobalt Strike beacons are commonly used for network enumeration, C2 communications, and lateral movement.

  • Credential Harvesting: Mimikatz is frequently employed to dump credentials from memory, enabling further access and privilege escalation.

  • Persistence & Remote Access: Tools like AnyDesk are installed to maintain persistent remote control over compromised systems. Legitimate RDP is also heavily used.

  • Privilege Escalation: Various situation-dependent tools and techniques are used to gain higher privileges (e.g., domain administrator).

Data Exfiltration: Karakurt's primary goal is mass data theft. Their process involves:

  • Identifying Valuable Data: Locating sensitive file shares, databases, and document repositories.

  • Compression: Compressing stolen data using tools like 7zip to prepare for exfiltration. They often create manifest files (e.g., file-tree.txt) listing the stolen directory structures.

  • Exfiltration Tools: Utilizing legitimate file transfer tools to move data out of the network, often bypassing detection. Common tools include:

    • FTP clients (e.g., Filezilla)

    • Cloud storage synchronization tools (e.g., Rclone with services like Mega.nz)

    • Other file transfer services (e.g., QuickPacket, SendGB, put.io, qaz.im have been associated with related actors/TTPs).

  • Volume: Exfiltrating large quantities of data, sometimes exceeding a terabyte, including entire network shares.

Extortion and Harassment: This is where Karakurt's tactics become particularly aggressive:

  • Ransom Notes: Delivering ransom notes (often named readme.txt) via placement on compromised systems, compromised internal email accounts, or external email accounts. Notes typically claim a breach, list stolen data types, threaten public release/auction, and provide a link to a TOR-based portal with a unique access code for negotiation.

  • Aggressive Harassment: Conducting extensive harassment campaigns targeting the victim organization's employees, customers, and business partners. This involves emails and phone calls containing samples of stolen sensitive data (e.g., SSNs, financial records, personal information) to maximize pressure. They have also unusually leveraged mainstream social media platforms like Twitter and Facebook Messenger for communication and pressure during negotiations.

  • Proof of Theft: Providing screenshots of file directories or samples of stolen files as evidence.

  • Payment Demands: Ransoms demanded range widely, from $25,000 to as high as $13,000,000 USD, payable in Bitcoin, typically to new, previously unused wallet addresses. Deadlines are often short (e.g., within a week).

  • Post-Payment Actions: While sometimes providing alleged "proof of deletion" (like screen recordings or logs), reports indicate that Karakurt may not reliably delete stolen data, even after payment. The link to Conti, known for re-extortion, further casts doubt on these claims.

  • Exaggeration: Karakurt actors often inflate the volume or sensitivity of the stolen data to increase pressure.

MITRE ATT&CK TTPs: Karakurt leverages numerous techniques mapped to the MITRE ATT&CK framework. Security professionals should familiarize themselves with these TTPs to inform detection and defense strategies.

MITRE ATT&CK Techniques Summary

This document provides a comprehensive breakdown of attack techniques organized by tactical categories, based on the MITRE ATT&CK framework.

Initial Access

Techniques used to gain an initial foothold within a network:

Technique ID
Technique Name
Description
T1190
Exploit Public-Facing Application
Exploiting vulnerabilities in VPNs (Fortinet, SonicWall, Cisco) and other web applications (Log4j).
T1078
Valid Accounts
Using stolen or purchased credentials for VPN, RDP, or other services.
T1566
Phishing
Spearphishing emails with malicious attachments or links.
T1133
External Remote Services
Accessing networks via compromised VPN or RDP services.

Execution

Techniques that result in adversary-controlled code running on a local or remote system:

Technique ID
Technique Name
Description
T1059.001
Command and Scripting Interpreter: PowerShell
Used for reconnaissance, execution of tools, and lateral movement.
T1059.003
Command and Scripting Interpreter: Windows Command Shell
Used for executing commands and tools.

Persistence

Techniques that maintain access to systems across restarts and credential changes:

Technique ID
Technique Name
Description
T1136
Create Account
Creating new accounts for persistent access.
T1543.003
Create or Modify System Process: Windows Service
Establishing persistence via services.
T1574.002
Hijack Execution Flow: DLL Side-Loading
Potentially used for loading malicious code.
T1078
Valid Accounts
Maintaining access using compromised legitimate accounts.
T1562.001
Impair Defenses: Disable or Modify Tools
Disabling security software.

Privilege Escalation

Techniques that enable adversaries to gain higher-level permissions:

Technique ID
Technique Name
Description
T1078
Valid Accounts
Using stolen privileged credentials.
T1068
Exploitation for Privilege Escalation
Using exploits to gain higher privileges.
T1548.002
Abuse Elevation Control Mechanism: Bypass User Account Control
Bypassing UAC to run processes with higher privileges.

Defense Evasion

Techniques used to avoid detection:

Technique ID
Technique Name
Description
T1027
Obfuscated Files or Information
Using packers or obfuscation for tools like Cobalt Strike.
T1070.004
Indicator Removal on Host: File Deletion
Deleting logs or tools to cover tracks.
T1218.011
System Binary Proxy Execution: Rundll32
Executing malicious DLLs.
T1036
Masquerading
Renaming tools (e.g., Rclone) or DLLs to mimic legitimate files.

Credential Access

Techniques to steal credentials like account names and passwords:

Technique ID
Technique Name
Description
T1003
OS Credential Dumping
Using tools like Mimikatz to extract credentials from memory (LSASS).

Discovery

Techniques used to gain knowledge about systems and internal networks:

Technique ID
Technique Name
Description
T1087
Account Discovery
Identifying user and administrator accounts.
T1082
System Information Discovery
Gathering information about the compromised system.
T1016
System Network Configuration Discovery
Mapping network configurations.
T1049
System Network Connections Discovery
Identifying active network connections.
T1083
File and Directory Discovery
Searching for valuable data across the network.
T1135
Network Share Discovery
Identifying accessible network shares for data theft and lateral movement.

Lateral Movement

Techniques to move through an environment:

Technique ID
Technique Name
Description
T1021.001
Remote Services: Remote Desktop Protocol
Using RDP with compromised credentials to move laterally.
T1021.002
Remote Services: SMB/Windows Admin Shares
Accessing remote shares.

Collection

Techniques used to identify and gather information:

Technique ID
Technique Name
Description
T1005
Data from Local System
Collecting files from local machines.
T1039
Data from Network Shared Drive
Collecting data from discovered network shares.
T1560.001
Archive Collected Data: Archive via Utility
Using tools like 7zip to compress data before exfiltration.

Command and Control

Techniques that allow attackers to communicate with controlled systems:

Technique ID
Technique Name
Description
T1071.001
Application Layer Protocol: Web Protocols
C2 communication via HTTP/HTTPS (e.g., Cobalt Strike).
T1105
Ingress Tool Transfer
Downloading tools like Mimikatz, AnyDesk, Rclone onto compromised systems.

Exfiltration

Techniques to steal data:

Technique ID
Technique Name
Description
T1048
Exfiltration Over Alternative Protocol
Using FTP or other protocols for data exfiltration.
T1567.002
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Using tools like Rclone to exfiltrate data to cloud services (e.g., Mega.nz).
T1041
Exfiltration Over C2 Channel
Exfiltrating smaller amounts of data via the existing C2 channel.

Impact

Techniques to disrupt availability or compromise integrity:

Technique ID
Technique Name
Description
T1486
Data Encrypted for Impact
Generally NOT used by Karakurt, which focuses on extortion via theft threat.
T1490
Inhibit System Recovery
Deleting shadow copies or backups (though less critical if no encryption occurs, still hinders recovery).

Targets or Victimology

Motivations: Karakurt's primary driver is financial gain through extortion. While potential espionage links exist via the Conti connection, their core operations revolve around monetizing stolen data.

Potential Impact: Victims face severe consequences beyond potential ransom payments:

  • Data Breach: Exposure of sensitive corporate, employee, customer, and partner data.

  • Reputational Damage: Significant harm from public disclosure of the breach and stolen data, exacerbated by Karakurt's harassment campaigns.

  • Operational Disruption: While not encrypting systems, the investigation, response, and harassment can disrupt business operations.

  • Regulatory Fines and Legal Costs: Potential penalties for data breaches under regulations like GDPR, CCPA, etc., plus legal fees.

Targeted Industries: Karakurt appears largely opportunistic, not limiting itself to specific sectors. However, documented victims span a wide range, including:

  • Technology Providers

  • Healthcare

  • Financial Services

  • Manufacturing

  • Legal Services

  • Government Entities

  • Energy

  • Transportation and Logistics

  • Professional Services

  • Retail

Targeted Regions: Attacks have been observed globally, but activity has been particularly concentrated in:

  • North America (especially the United States)

  • Europe

Attack Campaigns

Rather than distinct, named campaigns, Karakurt's activity is characterized by a continuous stream of intrusions following their established MO. Key aspects of their campaigns include:

  • High Volume in 2022: A significant number of organizations were compromised and listed on their leak site during their peak activity period.

  • Focus on VPN Exploitation: Many intrusions leveraged vulnerabilities in popular VPN solutions, highlighting the importance of patching edge devices.

  • Aggressive Extortion: The harassment campaigns targeting employees and partners were a consistent and defining feature of their attacks.

  • Conti/Diavol Overlaps: Some incidents showed temporal or infrastructure overlaps with Conti or Diavol activity, reinforcing the suspected links.

  • Opportunistic Targeting: The broad range of victim industries and sizes suggests they often exploited readily available access or vulnerabilities rather than targeting specific organizations based on profile alone. Security teams should also identify suspicious events.

Defenses

Defending against Karakurt requires a multi-layered security approach focusing on preventing initial access, detecting post-compromise activity, and mitigating the impact of data theft. Given their TTPs, the following strategies are crucial:

  1. Patch Management: Aggressively patch known vulnerabilities, especially in internet-facing systems like VPN appliances (Fortinet, SonicWall, Cisco, etc.), firewalls, and web servers. Prioritize critical and actively exploited vulnerabilities. Ensure to have a reliable patch management strategy in place.

  2. Multi-Factor Authentication (MFA): Enforce MFA for all remote access (VPNs, RDP), cloud services, and critical internal systems. This is one of the most effective defenses against credential compromise.

  3. Strong Password Policies & Credential Hygiene: Implement and enforce strong, unique passwords based on NIST guidelines. Discourage password reuse. Monitor for leaked credentials and proactively reset affected accounts. Passwordless authentication is also worth considering.

  4. Network Segmentation: Segment networks to limit lateral movement. Sensitive data repositories should be isolated with strict access controls.

  5. Least Privilege Principle: Ensure users and service accounts have only the minimum permissions necessary to perform their roles. Regularly review account privileges.

  6. Endpoint Detection and Response (EDR): Deploy and configure EDR solutions to detect and block malicious tools and techniques like Cobalt Strike, Mimikatz, and suspicious script execution. Monitor for the presence and execution of tools like AnyDesk and Rclone in unexpected contexts.

  7. Network Monitoring & Egress Filtering: Monitor network traffic for unusual outbound connections, large data transfers, or communications with known malicious infrastructure or cloud storage services not typically used by the organization. Implement egress filtering where possible. Consider security logging and monitoring.

  8. Email Security: Enhance email security gateways to filter phishing attempts. Implement DMARC, DKIM, and SPF. Use banners to clearly mark external emails. Train users to identify and report phishing. Consider disabling hyperlinks in emails from external sources. To prevent these attacks, use SPF records.

  9. Disable Unused Ports and Services: Reduce the attack surface by disabling unnecessary ports, protocols, and services, particularly on internet-facing systems.

  10. Data Backup and Recovery: While Karakurt doesn't encrypt, robust, regularly tested offline/immutable backups are still critical for general resilience and recovery from potential destructive actions or errors during an incident response.

  11. Cybersecurity Awareness Training: Train employees to recognize phishing, social engineering, and the tactics used in harassment campaigns. Foster a security-aware culture where reporting suspicious activity is encouraged.

  12. Incident Response Plan: Develop and regularly test an incident response plan that specifically addresses data breach and extortion scenarios. Include procedures for containment, eradication, recovery, and communication (internal and external). Ensure to have a cyber incident response plan in place.

  13. Discourage Ransom Payments: Adhere to government guidance (e.g., from CISA, FBI) which strongly discourages paying ransoms. Payment does not guarantee data deletion, prevent future attacks, or stop public release, and fuels the cybercrime economy.

Conclusion

The Karakurt Extortion Group represents a significant threat characterized by its departure from traditional ransomware tactics, focusing exclusively on data theft and aggressive extortion. Their proven ability to infiltrate diverse networks, steal vast amounts of sensitive data, and leverage psychological pressure through harassment makes them particularly dangerous. The strong evidence linking them to the Conti ransomware ecosystem underscores the interconnected and adaptive nature of modern cybercrime syndicates. Although their activity may have decreased following peak levels in 2022 and potential law enforcement disruption, the TTPs they employ remain relevant. Organizations must prioritize robust security hygiene—especially MFA implementation, timely patching of edge devices, vigilant monitoring for post-compromise tools, and comprehensive incident response planning—to defend against Karakurt and similar data extortion threats. One of the most effective security strategies is zero trust security.

Found this article interesting? Keep visit thesecmaster.com, and our social media page on FacebookLinkedInTwitterTelegramTumblrMedium, and Instagram and subscribe to receive tips like this. 

You may also like these articles:

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Threats

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

Tools

Featured

View All

Learn Something New with Free Email subscription

Subscribe

Subscribe