{ "id": "9a6f7f2a-793f-445e-86de-cef777b73f3b", "created_at": "2026-04-06T00:21:20.704214Z", "updated_at": "2026-04-10T03:33:15.641267Z", "deleted_at": null, "sha1_hash": "f4851fbcd2e90bbab5a66ea5677f385de8ce1f4a", "title": "Karakurt extortion group: Threat profile", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 804742, "plain_text": "Karakurt extortion group: Threat profile\r\nPublished: 2022-06-14 · Archived: 2026-04-05 21:21:59 UTC\r\nJovi Umawing\r\nJune 14, 2022\r\nJovi Umawing\r\nThe FBI (Federal Bureau of Investigation), together with CISA (Cybersecurity and Infrastructure Security\r\nAgency) and other federal agencies, recently released a joint cybersecurity advisory (CSA) about the Karakurt\r\ndata extortion group (also known as Karakurt Team and Karakurt Lair).\r\nLike RansomHouse, Karakurt doesn’t bother encrypting data. Instead, it just steals the data and demands a\r\nransom. If the victim organization refuses to pay up, the stolen data is auctioned off or leaked to the public for\r\nanyone to scrape and misuse for personal gain.\r\nOne may wonder why federal agencies decided to focus on Karakurt when it is a relatively obscure group. It has\r\nno prolific attacks attributed to it and doesn’t appear to have a high number of attacks under its belt.\r\nAccording to Bleeping Computer, Karakurt is said to be the “data extortion arm” of the Conti ransomware\r\nsyndicate. Further evidence from two blockchain traffic firms, Chainalysis and Tetra Defense, can back this up. In\r\na report last month, they assessed“with a high degree of confidence” that Karakurt is “operationally linked to both\r\nConti and Diavol ransomware groups”.\r\nArticle continues below this ad.\r\nhttps://blog.malwarebytes.com/cybercrime/2022/06/karakurt-extortion-group-threat-profile/\r\nPage 1 of 4\n\nKarakurt extortion group\r\nThe Karakurt group got its name from a type of black widow spider. Researchers have pointed outthat the group\r\nliken its extortion tactics to a karakurt spider’s bite.\r\nKarakurts poison is very toxic and dangerous. Don't waste your time.What would you do? Of course you will have\r\nThe NCC Group’s Cyber Incident Response Team (CIRT) spotlighted Karakurt activities in February 2022.\r\nHowever, Karakurt, known initially as the Karakurt Hacking Team (KHT), has been around since June 2021. This\r\nalso marked the creation of domains and accounts associated with the group, namely its dump sites and, later on,\r\nits Twitter account in August 2021.\r\nPer a report from Accenture Security, Karakurt wasn’t actively extorting until September 2021. After two months,\r\nthe extortion group had already bagged 40 organizations across multiple industries. However, experts from Digital\r\nShadows seem to dispute this number, claiming that the victim number is more than 80.\r\nRegarding victimization, it’s clear that Karakurt isn’t picky with what to target. Regarding target locations, the\r\nextortion group prefers small organizations based in the US, the UK, Canada, and Germany.\r\nThe extortion group targets organizations using single-factor Fortigate VPN (Virtual Private Network) servers\r\nusing legitimate Active Directory credentials. It is unknown how the group obtains these credentials; however, it’s\r\nno surprise that they get administrative access and privileges on compromised servers.\r\nFrom there, Karakurt can use the various tools it has at its disposal. Depending on the goals, the group can do a\r\n“living off the land” approach in its tactics, toolset, and intrusion techniques. It can also use common post-exploit\r\ntools like Cobalt Strike, AnyDesk, and Mimikatz.\r\nOnce Karakurt has the data it wants to exfiltrate, it uses 7zip and WinZip to compress the files before sending\r\nthem to  Mega.io via FileZilla or Rclone.\r\nhttps://blog.malwarebytes.com/cybercrime/2022/06/karakurt-extortion-group-threat-profile/\r\nPage 2 of 4\n\nKarakurt demands a ransom ranging from $25,000 to $13M in Bitcoin. The payment deadline is typically seven\r\ndays after the victim contacts the extortion group.\r\nSplintering into cells\r\nRansomware groups have been undergoing a new phasefor a few months now. If they’re not splitting into smaller\r\ngroups (“cells”) to join other criminal groups, they are rotating their use of malware to avoid the growing US\r\nsanctions and pressure from law enforcement.\r\nSince the US officially sanctioned Evil Corp, the Russian group behind the Dridex banking Trojan, things started\r\nchanging, both on the side of ransomware victims and affiliates that use ransomware. Victims began refusing to\r\npay to comply with sanctions, and these groups started rotating the use of ransomware variants in their campaigns\r\nto avoid getting associated with a sanctioned group.\r\nhttps://blog.malwarebytes.com/cybercrime/2022/06/karakurt-extortion-group-threat-profile/\r\nPage 3 of 4\n\nWith Conti “gone,”a splintering also happened within the syndicate. Researchers from Advanced Intel have data\r\nshowing members of the former ransomware syndicate dispersing from the core group to join smaller ransomware\r\ngroups.\r\nConti is not affiliated with Evil Corp, but both groups are in a similar bind that affects their profit margins but not\r\nenough to make them completely give up a criminal life. Unfortunately, members and affiliates gain from\r\nsplintering and distancing themselves from these groups.\r\nIn an interviewwith the Wall Street Journal, Kimberly Goody, Mandiant’s director of cybercrime analysis, said\r\nthat these changes obscured Evil Corp hackers’ identities “at the point of attack, throwing off investigators and\r\nsanction-compliant victim companies”. The same can be said about former actors associated with the Conti\r\nsyndicate.\r\nKeep Karakurt away from your network anddata\r\nWe advise organizations to prioritize mitigating steps to keep extortion groups like Karakurt from successfully\r\ninfiltrating your network. Here are some ways to do that.\r\nImplement multi-factor authentication (MFA)in every business access point, including single-factor VPN\r\naccess\r\nEnsure that all domain control servers are kept updated with the latest patches\r\nDisable unused ports\r\nInstall an efficient and effective endpoint security solution that focuses on a layered approach to protecting\r\nsystems and business assets\r\nCreate and implement a recovery plan (if your business doesn’t have one already), including how to\r\nmaintain and retain backups\r\nSegment your network to keep bad guys from reaching destinations that house your organization’s most\r\nsensitive and proprietary data\r\nAudit high-privileged accounts regularly\r\nThe federal agencies have more mitigation points in the advisory, which you can find here.\r\nStay safe!\r\nSource: https://blog.malwarebytes.com/cybercrime/2022/06/karakurt-extortion-group-threat-profile/\r\nhttps://blog.malwarebytes.com/cybercrime/2022/06/karakurt-extortion-group-threat-profile/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://blog.malwarebytes.com/cybercrime/2022/06/karakurt-extortion-group-threat-profile/" ], "report_names": [ "karakurt-extortion-group-threat-profile" ], "threat_actors": [ { "id": "6ad410c7-e291-4327-a54b-281c23f0d4fa", "created_at": "2022-10-25T16:07:24.501468Z", "updated_at": "2026-04-10T02:00:05.013427Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Mushy Scorpius" ], "source_name": "ETDA:Karakurt", "tools": [ "7-Zip", "Agentemis", "AnyDesk", "Cobalt Strike", "CobaltStrike", "FileZilla", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "WinZip", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "2af9bea3-b43e-4a6d-8dc6-46dad6e3ff24", "created_at": "2022-10-25T16:47:55.853415Z", "updated_at": "2026-04-10T02:00:03.856263Z", "deleted_at": null, "main_name": "GOLD TOMAHAWK", "aliases": [ "Karakurt", "Karakurt Lair", "Karakurt Team" ], "source_name": "Secureworks:GOLD TOMAHAWK", "tools": [ "7-Zip", "AnyDesk", "Mega", "QuickPacket", "Rclone", "SendGB" ], "source_id": "Secureworks", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "079e3d6e-24ef-42b0-b555-75c288f9efd8", "created_at": "2023-03-04T02:01:54.105946Z", "updated_at": "2026-04-10T02:00:03.359009Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Karakurt Lair" ], "source_name": "MISPGALAXY:Karakurt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434880, "ts_updated_at": 1775791995, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f4851fbcd2e90bbab5a66ea5677f385de8ce1f4a.pdf", "text": "https://archive.orkl.eu/f4851fbcd2e90bbab5a66ea5677f385de8ce1f4a.txt", "img": "https://archive.orkl.eu/f4851fbcd2e90bbab5a66ea5677f385de8ce1f4a.jpg" } }