Karakurt gang demands up to $13 million in data extortion attacks

Karakurt data extortion group steals data and threatens to auction it off or make it public unless the ransom is paid.

The latest cybersecurity advisory by American authorities provides information on the Karakurt data extortion group, also known as the Karakurt Team and Karakurt Lair.

By employing various techniques, threat actors create significant challenges for defense and mitigation.

“Karakurt victims have not reported encryption of compromised machines or files; rather, Karakurt actors have claimed to steal data and threatened to auction it off or release it to the public unless they receive payment of the demanded ransom,” the advisory reads.

Reported ransom demands have ranged from $25,000 to $13 million in Bitcoin, with payment details typically expiring within a week.

“Karakurt actors have typically provided screenshots or copies of stolen file directories as proof of stolen data. Karakurt actors have contacted victims’ employees, business partners, and clients with harassing emails and phone calls to pressure the victims to cooperate,” the advisory reads.

These communications often included samples of stolen data—primarily personally identifiable information (PII), such as employment records, health records, and financial business records.

Karakurt has managed to steal social security numbers, payment accounts, private company emails, and other sensitive business information.

“Upon payment of ransoms, Karakurt actors have provided some form of proof of deletion of files and, occasionally, a brief statement explaining how the initial intrusion occurred.”

The advisory noted that some victims reported that Karakurt actors did not maintain the confidentiality of victim information after a ransom was paid.

“In some cases, Karakurt actors have conducted extortion against victims previously attacked by other ransomware variants. In such cases, Karakurt actors likely purchased or otherwise obtained previously stolen data. Karakurt actors have also targeted victims at the same time these victims were under attack by other ransomware actors. In such cases, victims received ransom notes from multiple ransomware variants simultaneously, suggesting Karakurt actors purchased access to a compromised system that was also sold to another ransomware actor,” it said.