Warning: New cyber criminal group Karakurt is extorting millions of companies around the world

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a security alert about Karakurt, a cybercriminal extortion group that extracts data from affected organizations and threatens to sell or leak it on the dark web if victims don’t pay a ransom.

This malicious operation is characterized by not using malware during its intrusions, contrary to virtually any other extortion group. The ransoms demanded by Karakurt range from $25,000 to $13 million, and payment must always be made via Bitcoin.

When contacting their victims, the hackers sent screenshots or copies of stolen files to prove that the attack was real, in addition to sharing details about the intrusion method employed. Karakurt operators also harass employees, partners and customers of the affected companies, in an attempt to force the ransom payment.

In the most critical cases, hackers leak small samples of the stolen information, including sensitive details such as full names, social security numbers, phone numbers, medical records, and more sensitive records.

Karakurt had started as a grouping of leaks and auctions on the dark web, although the domain used for its operations was disconnected a couple of months ago. By early May, Karakurt’s new website contained several terabytes of data allegedly belonging to victims in North America and Europe, as well as a list of alleged victims.

Another characteristic feature of Karakurt is that they do not focus only on a specific type of victim, since they simply base their attacks on the possibility of accessing the compromised networks. For their attacks, hackers can use poorly protected mechanisms and infrastructure weaknesses, or collaborate with other cybercriminal groups to gain initial access to the target. According to CISA, hackers commonly gain access to compromised networks by exploiting SonicWall VPN or Fortinet FortiGate devices if updates or obsolete, employing popular flaws such as Log4Shell or bugs in Microsoft Windows Server.

According to a report by security firm AdvIntel, Karakurt is part of the Conti network, which operates as an autonomous group alongside Black Basta and BlackByte, two other groups that rely on data theft and extortion for monetization purposes.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.