Karakurt – A Disturbing Change in Ransomware Tactics

Ransomware warning from cybercriminals

For years, businesses and IT service companies have done battle with hackers in the burgeoning business of crypto-locking data and extorting the affected companies and individuals to regain access to their information.

The tactics of hackers have evolved over the past few years. As businesses wised up and deployed better data backup systems, hackers have changed their tactics to include a secondary means of extortion, namely, the threat to release exfiltrated data.

In a disturbing new twist, however, the “Karakurt” group has opted to forego the usual encryption step and go straight for the data release extortion scheme.

In an advisory released today, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), and the Financial Crimes Enforcement Network (FinCEN) released a joint advisory warning of this evolving threat. The changing TTP (tactics, techniques and procedures) involve ransom demands of upward of $13,000,000.

How Karakurt Ransomware Find Its Victims

Karakurt is not fussy when selecting to their victims. They’ll target everyone they can find in any sector or industry. They perform reconnaissance and discover victims in the following ways:

  • Purchasing stolen login credentials
  • Cooperating with fellow cyber criminals
  • Re-targeting already compromised victims
  • Leveraging “intrusion brokers”, entities that monetize their access to victims’ networks

Vulnerabilities That Karakurt Targets

There is nothing particularly original in the tactics used by the Karakurt group. Businesses that fail to educate their employees and keep their systems up to date are easy targets using the following vulnerabilities:

  • Outdated VPN and Firewall Appliances from SonicWall, Fortinet, Watchguard, etc.
  • Log4J Apache vulnerabilities
  • Phishing and Spear-phishing attacks
  • Malicious document macros within email attachments
  • Stolen VPN (virtual private network) and RDP (remote desktop protocol) credentials
  • Outdated and unpatched Microsoft Windows operating systems

How You Can Defend Against Karakurt Ransomware

Businesses must redouble their cybersecurity efforts. Maintaining a strong defensive posture is essential. Those who opt to run their own IT systems need to reconsider whether or not they possess the necessary skills and experience to cover all their bases. This is especially true for small businesses that often entrust everything to a single individual.

Even those businesses that outsource their IT support need to evaluate their vendors to gauge whether or not they are in good hands. Thom infotech performs cybersecurity assessments, and we often find glaring omissions in the most basic areas. 

If you are unsure of your cybersecurity posture, do your business a favor and reach out to our team for an affordable cybersecurity risk assessment. We can help you know with certainty whether your business can withstand the threats.