A cyber-criminal gang is stealing sensitive data from businesses and demanding a ransom payment in exchange for deleting the stolen information – and they're harassing victim's employees, business partners and clients in an effort to make extortion attempts as effective as possible.
A joint advisory by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA) and other agencies warns that the Karakurt data-extortion group is trying to extort millions from victims across North America and Europe.
Known ransom demands have ranged from $25,000 to $13,000,000 in Bitcoin, with Karakurt setting a one-week deadline to pay before they publish the stolen information. The advisory doesn't detail how many victims have paid the ransoms.
The gang offer what they claim to be proof of access to networks and stolen data using screenshots or copies of file directories. As part of the extortion campaign, ransom notes are sent to employees of the victim company, with threats to publish the stolen information, including employment records, health records, and financial business records.
SEE: Cybersecurity: Let's get tactical
But the Karakurt cyber criminals don't just sit back and wait for a payment to come. According to the advisory, they engage in extensive harassment campaigns, sending emails and even making phone calls to employees, business partners, and clients with 'warnings' that the company needs to pay the ransom. It's noted that Karakurt has been known to exaggerate how much data has been stolen.
If the ransom is paid, the cyber criminals provide alleged 'proof' that the stolen files have been deleted, such as a screen recording of the deletion.
The threats to release stolen information are similar to the extortion techniques used by many ransomware gangs, where in addition to encrypting files, the cyber criminals threaten to publish the information if a ransom isn't paid.
In Karakurt's attacks, the information isn't encrypted, just stolen – with the cyber criminals hoping the threat of sensitive information being released is enough to prompt victims into paying.
But, the alert notes that in some cases, Karakurt targets businesses that have previously fallen victim to ransomware attacks – having likely bought the data stolen in those incidents on the dark web or obtained it from data dumps.
SEE: A winning strategy for cybersecurity (ZDNet special report)
As well as buying stolen login credentials to gain access to networks, other common intrusion techniques Karakurt are known to exploit include Log4j vulnerabilities, phishing emails with malicious attachments designed to deliver malware, unpatched vulnerabilities in VPN software and firewall appliances, as well as outdated instances of Microsoft Windows Server.
Karakurt is still believed to be actively exploiting vulnerabilities in order to target businesses with extortion attacks – but the alert states there's actions that organisations can take to mitigate the threat posed by extortion groups, ransomware gangs and other cyber-criminal groups.
They include applying patches and security updates for known vulnerabilities to prevent cyber criminals from exploiting them and to implement network segmentation with offline backups to make it more difficult for intruders to move around the network.
It's also recommended that users are trained to recognise and report attempted phishing attacks, that passwords should be complex and unique and that multi-factor authentication (MFA) is provided for all users, so that in the event of a cyber criminal acquiring legitimate login credentials, it's harder for them to exploit them to breach the network.