Introduction
Karakurt actors have employed a variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation. Karakurt victims have not reported encryption of compromised machines or files; rather, Karakurt actors have claimed to steal data and threatened to auction it off or release it to the public unless they receive payment of the demanded ransom. Known ransom demands have ranged from $25,000 to $13,000,000 in Bitcoin, with payment deadlines typically set to expire within a week of first contact with the victim.
Activities and Tactics
Country of Origin: 🇷🇺 Russia
Incident Type: Extortion
Suspected Victims: Canada, Germany, United Kingdom, United States
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
Information pending cataloguing.
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
Ransomware Tool Matrix observations
| Category | Observed tools |
|---|---|
| Credential Theft | Mimikatz |
| Exfiltration | FileZilla, MEGA, RClone |
| Networking | Ngrok |
| OffSec | Cobalt Strike |
| RMM Tools | AnyDesk |
Attribution and Evidence
Country of Origin: Russia Additional attribution information pending cataloguing.
References
References pending cataloguing.