Severity
High
Analysis Summary
Karakurt is a financially motivated threat actor group active since at least June 2021, focused on data extortion. It collects the information and demands a ransom payment. If the victim organization refuses to pay the ransom, the stolen information is auctioned off or made public, where anybody may scrape and use it for personal gain. This group has already impacted over 40 organizations from various industries and areas.
The Karakurt threat actors often acquire access to victim networks by stealing credentials from different initial access brokers or exploiting popular vulnerabilities such as Log4Shell or Zerologon. Karakurt actors utilize Cobalt Strike Beacon to get access to a victim’s environment, Mimikatz to extract credentials, AnyDesk to establish permanent remote control, and a variety of additional tools for privileges elevation and lateral movement. The data is compressed and exfiltrated in large quantities, usually using open source apps and FTP services. The threat actors then send ransom letters to the victims, alerting them that their company has been hacked and urging them to contact Karakurt for negotiations via a Tor website.
Impact
- Cyber Extortion
- Information Theft
Indicators of Compromise
MD5
- 286aaf0974d06d9b02d11611b2acccef
- ca2883a7f300abd755706d3a9b55916b
- e2bce0f3162076fa56de5215fd31e3ab
SHA-256
- 712733c12ea3b6b7a1bcc032cc02fd7ec9160f5129d9034bf9248b27ec057bd2
- 5e2b2ebf3d57ee58cada875b8fbce536edcbbf59acc439081635c88789c67aca
- 563bc09180fd4bb601380659e922c3f7198306e0caebe99cd1d88cd2c3fd5c1b
SHA-1
- 05a9b0c93f7e1ca272b4236d489f903c399e5faa
- 401341a7a604ae8d80d9240cb54dde5e26a5cfdb
- d18c007d856b98ad09818e62fc05acb755dae86c
Remediation
- Block the threat indicators at their respective controls.
- Search for IOCs in your environment.