CISA Alert AA22-152A – Karakurt data extortion group.

This is a CISA Cybersecurity Alert. ID number Alpha Alpha Two Two tack One five two Alpha.

​​Original release date: June first, twenty twenty two.

This advisory provides information about the Karakurt data extortion group, also known as the Karakurt Team and Karakurt Lair. Karakurt actors have employed a variety of TTPs, creating significant challenges for defense and mitigation. Karakurt actors claim to steal data and threaten to auction it or release it to the public unless they receive payment. Known extortion demands have ranged from $25,000 to $13,000,000 in Bitcoin, with payment deadlines typically set to expire within a week of first contact with the victim.

Karakurt actors typically provide screenshots or copies of stolen file directories as proof of stolen data. Karakurt actors have contacted victims’ employees, business partners, and clients with harassing emails and phone calls to pressure the victims to cooperate. The emails have contained examples of stolen data, such as social security numbers, payment accounts, private company emails, and sensitive business data belonging to employees or clients.

As of May 2022, Karakurt’s website contained several terabytes of data purported to belong to victims across North America and Europe, along with several press releases naming victims who had not paid or cooperated, and instructions for participating in victim data auctions.

Karakurt does not appear to target any specific sectors, industries, or types of victims. During reconnaissance, Karakurt actors obtain access to victim devices primarily by purchasing stolen login credentials, through cooperating partners in the cybercrime community, or through buying access to already compromised victims through third-party intrusion brokers.

The full report linked in the show notes includes indicators of compromise, common initial access vulnerabilities used by Karakurt, extortion techniques, a full MITRE ATT&CK mapping for this adversary playbook, mitigation strategies, and links to additional security resources.

All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by the CyberWire as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations. A link to this report can be found in the show notes.

This has been a CISA Cybersecurity Alert.