Karakurt Hacking Group Targets Europe and North America
Financially-motivated threat actors have been relying heavily on ransomware in the past year. They attempt to infiltrate company and enterprise networks, and then steal important data before encrypting it. Finally, they offer the victim an option – to pay hundreds of thousands of dollars in exchange for a decryption tool, and to stop the criminals from publishing them online. However, it seems that there is a new threat actor, which has eliminated the ransomware component of this equation. The criminals, known as Karakurt, appear to be targeted companies in North America.
Karakurt is the name of a venomous spider found in Eastern Europe, and it is likely to have inspired by the name of the group judging by the imagery used for their Twitter account. Unfortunately, this does not reveal much about the identity or location of the criminals. There have already been 40 confirmed cases of Karakurt attacks, and 95% of them were identified in North America – the others were in Europe.
Karakurt Hackers Steal Files Without Using Ransomware
As mentioned earlier, the criminals are looking to extort their victims for money. However, they do not deploy a ransomware threat to achieve this. Instead, they use a combination of public tools and private malware to exfiltrate sensitive information from compromised networks. Once they manage to infiltrate a system successfully, they also attempt to spread laterally through the entire network, enabling them to access more data.
One of the popular implants that the Karakurt hackers are relying on is Cobalt Strike. However, as mentioned above, they also do not hesitate to deploy legitimate tools such as AnyDesk in order to gain remote access to infected systems.
It would appear that most infiltrations happens by using login credentials. The criminals are either relying on spear-phishing attacks, or they are using other methods to steal credentials from company employees. Needless to say, protecting networks from the Karakurt attack requires the use of secure network policies and safe, regularly updated account credentials.