Karakurt is a financially motivated threat actor group active since at least June 2021, focused on data extortion. It collects the information and demands a ransom payment. If the victim organization refuses to pay the ransom, the stolen information is auctioned off or made public, where anybody may scrape and use it for personal gain. This group has already impacted over 40 organizations from various industries and areas.
The Karakurt threat actors often acquire access to victim networks by stealing credentials from different initial access brokers or exploiting popular vulnerabilities such as Log4Shell or Zerologon. Karakurt actors utilize Cobalt Strike Beacon to get access to a victim’s environment, Mimikatz to extract credentials, AnyDesk to establish permanent remote control, and a variety of additional tools for privileges elevation and lateral movement. The data is compressed and exfiltrated in large quantities, usually using open source apps and FTP services. The threat actors then send ransom letters to the victims, alerting them that their company has been hacked and urging them to contact Karakurt for negotiations via a Tor website.