Computer Security New Karakurt Threat Actor Focuses on Extortion, Not...

New Karakurt Threat Actor Focuses on Extortion, Not Ransomware

New Karakurt Threat Actor Focuses on Extortion, Not Ransomware Image

Researchers with security firm Accenture published a report on a new big name in the threat actor landscape. The new entity is called Karakurt and according to researchers has managed to score more than 40 victims in just a few months in 2021.

Karakurt is a portmanteau of the Turkish words for "black" and "wolf" and is also encountered as a Turkish family name. It is also another name for the European black widow spider. It should be noted that this is not a name given to the outfit by security researchers but one that the group picked for itself.

Threat actor going for extortion over ransomware

Karakurt came up as a red blip on researcher radars in the middle of 2021 but has significantly picked up in activity over the past several months. Accenture describes the threat actor as "financially motivated, opportunistic" and seemingly targeting smaller entities, staying away from "big game". Not too difficult to imagine why that is, after what happened with the Darkside group after one of their affiliates launched a crippling attack against Colonial Pipeline in the US and brought incredible backlash on Darkside, leading to the apparent shutdown of the threat actor.

Similar to most ransomware actors, Karakurt has been primarily targeting companies and entities located on US soil, with just 5% of the total attacks going after targets in Europe. However, the similarities to most ransomware in the mode of operation end here. Karakurt is not a ransomware gang.

Instead, the new threat actor focused on a faster approach - going in and out quickly, exfiltrating as much sensitive data as possible, and then extorting money for the stolen information.

Accenture also believes that this approach will become increasingly popular among threat actors in the future and expects a slight shift away from ransomware to a pure "exfiltrate and extort" approach, combined with a shift towards targets that won't cause societal or infrastructural disruption when hit.

Karakurt's methods and tools

Karakurt uses tools and applications already installed on victim networks for infiltration. The common method for infiltration in the group's attacks so far has been using legitimate VPN login credentials. How those were obtained, however, is not clear.

From this point on, Accenture paints a picture of Karakurt's actions that is all too familiar by now - Cobalt Strike beacons for command and control communication. Lateral movement across networks is achieved using any tools available, from PowerShell to third-party malicious applications. The hacker outfit uses popular compression tools to pack the stolen data before sending it off to mega dot io for storage.

Loading...