Let’s travel together.

KARAKURT the “ransomware exfiltration group”

I would like to share our experience with Karakurt which is a group focused on exfiltration (theft) of data only. A search on the forums did not bring anything up, so it is a bit surprising, if I am in the wrong place feel free to move this thread to the correct location where it might help. These observations are based on about 10 cases I helped various clients with. 


* The Karakurt leaks site is disorganized and publishing of client names that did not pay is taking the form of “publication” and in most cases no data is posted

* It appears that karakurt is essentially a platform for cyber-criminals to do nothing else but negotiate with victims and try to collect as much as possible, hence the experience will vary

* Demands are typically out of whack with what organizations are able or willing to pay for data and the data exfiltrated is in most cases non-sensitve

* As no data is encrypted, most companies do not even wish to engage 

* Negotiation conversations are all over the place in terms of discounts and in many cases appears the negotiators are aggressive and abusive in their language

* In some cases the spoke language appears to be English native and in others it is clearly a translation from another language e.g. Russian or East-European


When payment is agreed and made to the criminals, in majority of cases it is a nuisance value only, and you can expect re-extortion demands in the form of emails to the victim company offering to “secure their infrastructure” or provide a detailed report. 


In other cases where payment is not made, affiliates or others somehow involved in the matter are making contact and threatening or accepting amounts that they rejected. In some cases the contacting parties demonstrate they have access to data that should have been “deleted”


Hence, payment to karakurt results in no proven mechanism that the data is erased and that the group or platform owners followed up on promises. 


My recommendation is to make no payment to this group unless the victim feels better for making a payment. Expect some emails either threatening additional consequences or offering some additional services for fee. This platform clearly has no ability to enforce promises for the victims and their communicators at least based on our limited experience are ineffective and emotional. 


If this post helped you, feel free to send me a PM and let me know or PM with any additional questions. 


Thank you all for the awesome platform where such information can be openly shared. 



Comments are closed.