{ "id": "01795f04-e9d6-47c2-8021-58fccd2a4b56", "created_at": "2026-04-06T00:17:53.798228Z", "updated_at": "2026-04-10T13:12:18.527331Z", "deleted_at": null, "sha1_hash": "f1e2a22798e745685f8c1b805dd6eb8b169e885f", "title": "The Karakurt Web: Threat Intel and Blockchain Analysis Reveals Extension of Conti Business Model", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3407153, "plain_text": "The Karakurt Web: Threat Intel and Blockchain Analysis Reveals\r\nExtension of Conti Business Model\r\nBy Arctic Wolf\r\nPublished: 2022-04-15 · Archived: 2026-04-05 21:10:32 UTC\r\nKey Insights on Karakurt\r\nWe assess with a high degree of confidence that the Karakurt extortion group is operationally linked\r\nto both the Conti and Diavol ransomware groups.\r\nSince its first attacks in August 2021, Karakurt has victimized organizations in a number of\r\nindustries and in at least eight countries.\r\nThese connections debunk Conti ransomware’s standard pledge to victims that paying the demanded\r\nransom will keep them safe from future attacks. Paying a ransom also does not result in Karakurt\r\ndeleting data.\r\nSummary\r\nTetra Defense, an Arctic Wolf® company, partnered with Chainalysis to analyze the link between the Karakurt\r\ncyber extortion group to both Conti and Diavol ransomware through Tetra’s digital forensics and Chainalysis’\r\nblockchain analytics. As recent leaks have revealed, Conti and Trickbot are complicated operations with\r\nsophisticated structures. But, our findings indicate that web is even wider than originally thought, to include\r\nadditional exfiltration-only operations. The web is stickier too as we have confirmed on numerous occasions that\r\nthe Karakurt group does not delete victim data and maintains a copy even after an extortion payment.\r\nBackground\r\nIn 2021 Tetra Defense was approached by a client who claimed to have been hit with ransomware re-extortion.\r\nThey were previously a victim of Conti ransomware and had paid the demand only to later discover another\r\nextortion attempt from an unknown group. Except, in the second attempt, no encryption occurred. After\r\nsuccessfully recovering from the first intrusion, this client logged in to their systems to find yet another ransom\r\nnote stating sensitive data had been stolen and exacting an additional ransom.\r\nThe timing was interesting. As Tetra Defense took the case and started examining the client’s systems, it was clear\r\nthat the second extortionist had utilized the exact same backdoor left by the Conti group to access the victim’s\r\nnetwork. This was a Cobalt Strike back door indicating that the second intruder would have needed access to the\r\nConti Cobalt Strike server in order to use the persistence mechanism. Such access could only be obtained through\r\nsome sort of purchase, relationship, or surreptitiously gaining access to Conti group infrastructure.\r\nThis all occurred during a turbulent period in which Conti was struggling with disgruntled affiliates angry over\r\nlow pay and leaking sensitive information such as Conti’s playbooks and training materials. Tetra noted the\r\nhttps://arcticwolf.com/resources/blog/karakurt-web\r\nPage 1 of 10\n\npossibility that this second actor could have been a Conti operative or affiliate, particularly given their access to\r\nthe backdoor. Perhaps it was a disgruntled employee trying to “cut out the middleman” and walk away with more\r\nprofit by quietly returning to steal data. Or, alternatively, perhaps this was the trial run of a strategic diversification\r\nauthorized by the main group.\r\nThus began a more regular emergent pattern of data theft extortions. Just a few days later Tetra Defense\r\nencountered the first victim of what was called “Karakurt” employing similar tradecraft to what was observed in\r\nthe previous re-extortion attempt just days before. Again, the victim reported no encryption, only a ransom note\r\nindicating that large amounts of sensitive data had been stolen. This was not unheard of. Other groups such as\r\nMarketo began using the tactic earlier and a few others such as Bl@ckt0r and Bonaci Group were largely\r\ncontemporaneous. But Karakurt seemed to outlive each of its competitors in this nascent exfiltration-only space as\r\nTetra Defense responded to numerous incidents over the next few months. Our analysis might shed light on\r\nKarakurt’s relative longevity.\r\nKarakurt’s logo\r\nWho is Karakurt?\r\nKarakurt is branded after the common name of a venomous widow spider, an image the group does not hesitate to\r\nallegorize in describing who they are. As evinced by the excerpt taken from the group’s dark web leak site, a data\r\ntheft extortion is compared to a toxic bite. The antidote? Cooperation, of course.\r\nhttps://arcticwolf.com/resources/blog/karakurt-web\r\nPage 2 of 10\n\nScreenshot from Karakurt dark web leak site. \r\nAs opposed to typical ransomware in which the adversary will deny a victim access to data through encryption,\r\nKarakurt is a cybercrime group which infiltrates networks and engages in extortion by stealing and threatening to\r\nrelease data without any attempt to encrypt. Since its first observed attacks in August 2021, Karakurt has\r\nvictimized organizations across a number of industries and in at least eight countries.[1]\r\nhttps://arcticwolf.com/resources/blog/karakurt-web\r\nPage 3 of 10\n\nTypically, Karakurt threatens to release victims’ data on a branded dark web site, noted for its bizarre aesthetic.\r\nUntil recently, Karakurt posted lists of victim names who chose not to accede to the group’s demands but is now\r\nbeginning to make good on threats to release stolen data.\r\nKarakurt Dark Web Home Page\r\nhttps://arcticwolf.com/resources/blog/karakurt-web\r\nPage 4 of 10\n\nConti Hypothesis\r\nIn responding to well over a dozen Karakurt incidents to date, Tetra Defense has built a dataset of intrusions,\r\nleading to additional insight. The most ubiquitous point of initial intrusion for Karakurt attacks are Fortinet SSL\r\nVPNs as was also the point of compromise for the earlier seemingly Conti-related re-extortion.\r\nWhile Karakurt attacks can vary with respect to tools, some notable overlaps began to emerge between some\r\nKarakurt intrusions and the earlier suspected Conti-related re-extortion, including the use of the same tools for\r\nexfiltration, a unique adversary choice to create and leave behind a file listing of exfiltrated data named “file-tree.txt” in the victim’s environment, as well as the repeated use of the same attacker hostname when remotely\r\naccessing victims’ networks (see table below).\r\nAny single data point is far from a smoking gun but taken together as a series of choices made by an attacker to\r\naccomplish the unique goal of data theft extortion, there is evidence to make an inference-based assertion that\r\nthese intrusions could be linked. If the mystery re-extortion gang were indeed connected to Conti and likewise\r\nrelated to Karakurt then by transitive inference this might indicate a connection between Conti and Karakurt.\r\nIn addition, Tetra was engaged by another client victimized by a Karakurt attack, only upon performing forensics\r\nanalysis did we learn that they had been the prior victim of Ryuk ransomware in the past. This was the second\r\nhttps://arcticwolf.com/resources/blog/karakurt-web\r\nPage 5 of 10\n\nindication of a potential Conti link, as Ryuk and Conti are both deployed by the Trickbot Group and exhibit\r\nsignificant technical as well as financial overlap.[2] Armed with a hypothesis that something more systemic was\r\noccurring, Tetra Defense collaborated with our intel partners at Chainalysis.\r\nConti-Related Re-Extortion Karakurt\r\nRoot Point of Compromise Fortinet SSL VPN Fortinet SSL VPN\r\nExfiltration Tool WinSCP WinSCP\r\nFile Listing “file-tree.txt” left on victim system “file-tree.txt” left on victim system\r\nAttacker Hostname Identical Identical\r\nActions on Objective Data Exfiltration Data Exfiltration\r\nComparison of earlier non-attributed re-extortion and a cluster of Karakurt intrusions\r\nConti and Karakurt’s Financial Connections\r\nIn partnership with Chainalysis and its world-class blockchain analysis team, we can analyze cryptocurrency\r\ntransactions carried out by Conti and Karakurt to reveal financial connections between the two. Blockchain\r\nanalysis provided some of the earliest indication of Karakurt’s ties to Conti ransomware, as the relevant\r\ntransactions pre-date the discovery of the similarities in Karakurt and Conti’s software and attack strategy.\r\nChainalysis has identified dozens of cryptocurrency addresses belonging to Karakurt, scattered across multiple\r\nwallets. Victim payments to those addresses range from $45,000 to $1 million worth of cryptocurrency. Right off\r\nthe bat, we can see examples of Karakurt wallets sending substantial sums of cryptocurrency to Conti wallets.\r\nFor example, in the Chainalysis Reactor screenshot above, we see a Karakurt extortion wallet moving 11.36\r\nBitcoin — worth approximately $472,000 at the time of transfer — to a Conti wallet. But the connections run\r\neven deeper. Chainalysis has also found that several Karakurt victim payment addresses are hosted by wallets that\r\nalso house Conti victim payment addresses.\r\nhttps://arcticwolf.com/resources/blog/karakurt-web\r\nPage 6 of 10\n\nShared wallet hosting leaves virtually no doubt that Conti and Karakurt are deployed by the same individual or\r\ngroup.\r\nHow Diavol Fits\r\nTetra has discovered some oversights by Karakurt operatives which reveal a connection to Diavol ransomware,\r\nanother group which emerged around the same time (July 2021) and has been associated with Trickbot.[3] Tetra\r\nresponders observed adversary actions across multiple cases which proved shared use of tools and infrastructure,\r\nthough, like Conti, Diavol employs encryption whereas Karakurt does not.\r\nDiavol, Conti, and Ryuk had been reported using the same malware loader[4] and the Conti Jabber chat leaks in\r\nFeb – March 2022 further revealed the nature of the connection with Diavol.[5] In the chats, Stern (the Trickbot\r\nGroup administrator and Conti manager) wrote to Mango (the people manager) in early July 2021 to inform that\r\nBaget, another operative, had completed the Diavol locker and that it had come back clean on antivirus detection\r\ntests. Both Karakurt and Diavol sprang from within the heart of Conti and Tetra Defense was able to confirm that\r\nKarakurt and Diavol operators were sharing attacker infrastructure during the same period of time.\r\nOnce again though, blockchain analysis confirms Diavol’s connection to Karakurt and Conti. Similar to Karakurt,\r\nthe Reactor graph below shows a Diavol extortion address hosted by a wallet containing addresses used in Conti\r\nransomware attacks.\r\nhttps://arcticwolf.com/resources/blog/karakurt-web\r\nPage 7 of 10\n\nAgain, this common address ownership confirms with near total certainty that Diavol is deployed by the same\r\nactors behind Conti and Karakurt.\r\nKarakurt may be Conti’s diversification strategy, but not a wise one\r\nWe have been able to demonstrate relatively high-confidence connections between Conti, Karakurt, and Diavol.\r\nHowever Karakurt is being run, it no doubt gains some advantage with access to Conti resources such as access to\r\nvictims or the tools and infrastructure used by the rest of the group. Knowing who you are dealing with in the\r\nfight against ransomware is a rare opportunity, which helps defenders know how to respond. Through\r\ncollaborative efforts in Tetra’s forensic investigations with Chainalysis’ blockchain analytics and IR partners, there\r\nis a strong case to be made that Karakurt and Diavol are part of the evolving Conti web.\r\nWhy might Conti deploy a quasi-ransomware strain like Karakurt? The Conti Leaks may hold the answer. Chats\r\nbetween Trickbot Group managers show that they’ve thought long and hard about how to diversify their business\r\nmodel, with some proposing ideas like selling exfiltrated data or access to victims. Operating multiple\r\nransomware strains could also be a way to enhance resiliency and enable business continuity amid any possible\r\ngovernment actions. Amid unprecedented Law Enforcement action on ransomware in 2021 when Karakurt\r\nemerged, Conti managers may have perceived that launching a strain that does not encrypt can bypass scrutiny\r\nincurred by “ransomware” while still achieving financial objectives.\r\nWhether Karakurt is an elaborate side hustle by Conti and Diavol operatives or whether this is an enterprise\r\nsanctioned by the overall organization remains to be seen. What we can say is this connection perhaps explains\r\nwhy Karakurt is surviving and thriving despite some of its exfiltration-only competitors dying out.\r\nhttps://arcticwolf.com/resources/blog/karakurt-web\r\nPage 8 of 10\n\nBut in the long run, the strategy may backfire, as these discoveries discredit Conti ransomware’s standard pledge\r\nto victims that paying the demanded ransom will keep them safe from future attacks and result in the criminal\r\nenterprise keeping its word. We have been able to confirm on numerous occasions that the Karakurt group does\r\nnot delete victim data after payment and maintains a copy. However, the motivation behind this is unclear. While\r\nwe have not as yet observed re-extortion after a Karakurt payment, the victim’s deal is only partially honored. In\r\naddition, there is plausible evidence to assert that Conti has used Karakurt against former victims.\r\nImage Credit: Team Cymru[6]\r\nCheck out the highlighted portion of the Conti ransom note above. Ransomware attacks are premised on the\r\nvictim’s trust that their payment will end the attack and return to them control of their data. If victims and their\r\nincident response firms know Conti may have re-extorted prior victims using Karakurt and that data won’t\r\nactually be deleted, there’s much less incentive to pay. Don’t get caught in the web.\r\nCredits\r\nArctic Wolf is a leader in security operations, delivering a premier cloud-native security operations platform\r\ndesigned to end cyber risk. For more information, visit www.arcticwolf.com.\r\nChainalysis is the blockchain data platform. We provide data, software, services, and research to government\r\nagencies, exchanges, financial institutions, and insurance and cybersecurity companies in over 70 countries. Our\r\ndata powers investigation, compliance, and market intelligence software used to solve some of the world’s most\r\nhigh-profile criminal cases. For more information, visit www.chainalysis.com.\r\nTetra Defense, an Arctic Wolf Company, is a leading incident response, cyber risk management and digital\r\nforensics firm. For more information, visit www.tetradefense.com.\r\nhttps://arcticwolf.com/resources/blog/karakurt-web\r\nPage 9 of 10\n\nArctic Wolf’s Threat Research \u0026 Detection teams continually work to leverage intelligence from Tetra Defense\r\nresponders on how threat groups like Conti, Karakurt, and Diavol operate to bolster detections in the Arctic Wolf\r\nplatform. The threat landscape is constantly evolving, especially with ransomware groups and how they conduct\r\ntheir attacks. The visibility that Tetra Defense responders have into the tactics, techniques, and procedures (TTPs)\r\nof these groups allows Arctic Wolf to push forward new intel-driven detections on a daily basis.\r\nThis article was based on research performed by Tetra Defense, an Arctic Wolf® company, with contributions\r\nfrom Chainalysis and Northwave.\r\n[1] This data and the graphic representations of Karakurt victim industries and geographic locations are based on\r\ndark web intelligence data collected by Tetra Defense. This represents victims who elected not to pay the ransom\r\n[2] Unfortunately, forensic data had not been preserved from the distant Ryuk intrusion from which the client\r\nrecovered for Tetra to be able to do analysis by which to correlate the intrusions.\r\nSource: https://arcticwolf.com/resources/blog/karakurt-web\r\nhttps://arcticwolf.com/resources/blog/karakurt-web\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://arcticwolf.com/resources/blog/karakurt-web" ], "report_names": [ "karakurt-web" ], "threat_actors": [ { "id": "6ad410c7-e291-4327-a54b-281c23f0d4fa", "created_at": "2022-10-25T16:07:24.501468Z", "updated_at": "2026-04-10T02:00:05.013427Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Mushy Scorpius" ], "source_name": "ETDA:Karakurt", "tools": [ "7-Zip", "Agentemis", "AnyDesk", "Cobalt Strike", "CobaltStrike", "FileZilla", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "WinZip", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2af9bea3-b43e-4a6d-8dc6-46dad6e3ff24", "created_at": "2022-10-25T16:47:55.853415Z", "updated_at": "2026-04-10T02:00:03.856263Z", "deleted_at": null, "main_name": "GOLD TOMAHAWK", "aliases": [ "Karakurt", "Karakurt Lair", "Karakurt Team" ], "source_name": "Secureworks:GOLD TOMAHAWK", "tools": [ "7-Zip", "AnyDesk", "Mega", "QuickPacket", "Rclone", "SendGB" ], "source_id": "Secureworks", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "079e3d6e-24ef-42b0-b555-75c288f9efd8", "created_at": "2023-03-04T02:01:54.105946Z", "updated_at": "2026-04-10T02:00:03.359009Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Karakurt Lair" ], "source_name": "MISPGALAXY:Karakurt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434673, "ts_updated_at": 1775826738, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f1e2a22798e745685f8c1b805dd6eb8b169e885f.pdf", "text": "https://archive.orkl.eu/f1e2a22798e745685f8c1b805dd6eb8b169e885f.txt", "img": "https://archive.orkl.eu/f1e2a22798e745685f8c1b805dd6eb8b169e885f.jpg" } }