CyberWire Daily - CISA Alert AA22-152A – Karakurt data extortion group. [CISA Cybersecurity Alerts]
Episode Date: June 1, 2022The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), and the Financial Crimes Enforcement Network (FinCEN)... are releasing this joint Cybersecurity Advisory to provide information about the Karakurt data extortion group, also known as the Karakurt Team and Karakurt Lair. Karakurt actors have employed a variety of TTPs, creating significant challenges for defense and mitigation. Karakurt victims have not reported encryption of compromised machines or files; rather, Karakurt actors claim to steal data and threaten to auction it or release it to the public unless they receive payment. AA22-152A Alert, Technical Details, and Mitigations CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events. Stopransomware.gov CISA's Ransomware Readiness Assessment CISA's cyber hygiene services FinCEN Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime FinCEN Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wireurt Team and Karakurt Layer.
Karakurt actors have employed a variety of TTPs,
creating significant challenges for defense and mitigation.
Karakurt actors claim to steal data and threaten to auction it
or release it to the public unless they receive payment.
Known extortion demands have ranged from $25,000 to $13 million in Bitcoin,
with payment deadlines typically set to expire within a week of first contact with the victim.
Karakurt actors typically provide screenshots or copies of stolen file directories as proof
of stolen data.
Karakurt actors have contacted victims' employees, business partners, and clients with harassing
emails and phone calls to pressure the victims to cooperate.
The emails have contained examples of stolen data, such as social security numbers, payment
accounts, private company emails, and sensitive business data belonging to employees or clients.
As of May 2022, Karakurt's website contained several terabytes of data purported to belong to victims across North America and Europe, along with several press releases naming victims who had not paid or cooperated and instructions for participating in victim data auctions.
Karakurt does not appear to target any specific sectors, industries, or types of victims.
During reconnaissance, Karakurt actors obtain access to victim devices primarily by purchasing
stolen login credentials through cooperating partners in the cybercrime community or through
buying access to already compromised victims through third-party intrusion brokers. The full report linked in the show notes includes indicators of compromise,
common initial access vulnerabilities used by Karakurt, extortion techniques, a full MITRE
attack mapping for this adversary playbook, mitigation strategies, and links to additional
security resources. All organizations should report incidents and anomalous activity to
CISA's 24-7 Operations Center at central at cisa.dhs.gov
or 888-282-0870 and to the FBI via your local FBI field office or the FBI's 24-7 CyWatch at
855-292-3937 or cywatch at fbi.gov. This report was written by CISA, the United States Cyber
Security and Infrastructure Security Agency, and edited and adapted for audio by the Cyber Wire as
a public service. Please visit www.cisa.gov to read the full report, which may include additional details,
links, and illustrations. A link to this report can be found in the show notes.
This has been a CISA Cybersecurity Alert.