Joint Cybersecurity Advisory – Karakurt Data Extortion Group (Updated December 14, 2023)

December 14, 2023

CISA has added language about Cisco VPNs being a possible initial access vector to the alert. Given the widespread use of Cisco products, WaterISAC is sharing this for situational awareness purposes. 

June 2, 2022

The Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI, the Department of Treasury, and the Financial Crimes Enforcement Network (FinCEN) have published a joint Cybersecurity Advisory providing information on the Karakurt Data Extortion Group. The advisory notes “Karakurt victims have not reported encryption of compromised machines or files; rather, Karakurt actors have claimed to steal data and threatened to auction it off or release it to the public unless they receive payment of the demanded ransom.” The threat actors typically provide screenshots or copies of stolen file directories as evidence of stolen data. Karakurt usually gains initial access to a victim via stolen login credentials. The advisory also includes further technical details regarding this threat actor, including indicators of compromise and TTPs, and lists recommended mitigations.

To report suspicious or criminal activity related to information found in advisory, contact your local FBI field office, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937, or by e-mail at Cy*****@*bi.gov. If you have any further questions, or to request incident response resources or technical assistance related to these threats, contact CISA at CI*************@******hs.gov. Access the full advisory at CISA.