December 14, 2023 at 05:03AM
The FBI, CISA, and other US government agencies have issued a security advisory about the Karakurt extortion gang, notorious for using harassment and IT exploitation to demand ransoms ranging from $25,000 to $13 million in Bitcoin. The gang uses various tactics and tools to exfiltrate massive amounts of data, with a warning against paying the ransom.
From the meeting notes, it is clear that the Karakurt extortion gang poses a significant challenge for network defenders. They employ a wide variety of tactics, techniques, and procedures to pressure victims into handing over large ransom payments after compromising their IT infrastructure. The FBI, the US government’s Cybersecurity and Infrastructure Security Agency (CISA), Treasury Department, and Financial Crimes Enforcement Network have released an extensive list of vulnerabilities and methods exploited by the gang.
The demands from Karakurt range from $25,000 to $13 million, paid in Bitcoin, with payment deadlines set for a week after first contact. The gang gains initial access through various means, including compromised Cisco AnyConnect VPN user accounts and exploiting known vulnerabilities in VPN and firewall appliances. They are also known for abusing Log4Shell.
Once they gain access, Karakurt deploys malicious tools such as Cobalt Strike beacons, Mimikatz, and AnyDesk for remote access and control. They exfiltrate massive amounts of sensitive data, often using open source file transfer apps like Filezilla and compressing files with 7zip.
In their extortion tactics, Karakurt repeatedly contacts the victim company’s employees, business partners, and customers to build pressure to pay the ransom and issues threats to publish stolen information if their demands are not met.
The US government strongly discourages payment to cyber criminals promising to delete stolen files in exchange for payment. They have also published multiple pages of indicators of compromise, including tools and payments wallets used by the gang, ransom note sample texts, and email addresses associated with Karakurt activity.
This week’s Karakurt security advisory follows an earlier version issued in June 2022, published shortly after the extortion group appeared on the cybercrime scene.