April 19, 2022

Conti & Karakurt Data Extortion Group

Industry: N/A | Level: Tactical | Source: Infinitum

By obtaining access to Conti servers, the Infinitum IT Cyber Threat Intelligence team has identified a link between the Conti ransomware group and the data extortion group, Karakurt. The cybercriminal group Karakurt focuses on data extortion without using ransomware and only focusing on data exfiltration. The group has obtained access to victim networks primarily through VPN credentials. Based on the group’s blog site, they have compromised over 40 organizations between September and November 2021, whilst also compromising 11 organizations in December 2021. The compromised entities have been based in Canada and the United States.  The Infinitum teams’ research began on February 27th, 2022 leveraging the Conti leaks to access resources such as Protonmail and Mega Upload, which the ransomware group used enabling to the security team infiltrate the Conti servers.   From the team’s surveillance, they identified resources being shared by Conti and Karakurt, where Conti would upload data to Karakurt’s C2 servers using FileZilla. Additional review from Infinitum identified Conti using Inferno solutions, a Russian VPS Service, and accessing one of their data storage systems, found to contain an excess of 20TB of victim data. The security firm has shared the intelligence with the government.

  • Anvilogic Use Cases:
    • Adfind Execution
    • Adfind Commands
    • Cobalt Strike Beacon
    • Mimikatz
    • RDP Connection
    • RDP Logon/Logoff Event
    • Windows FTP Exfiltration