Report: Karakurt assaults linked to Conti and Diavol ransomware teams

We are excited to deliver Transform 2022 again in-person July 19 and just about July 20 – 28. Join AI and knowledge leaders for insightful talks and thrilling networking alternatives. Register right this moment!

A brand new report by Tetra Defense, an Arctic Wolf firm, in partnership with Chainalysis and Northwave, assessed that the Karakurt extortion group is operationally linked to each the Conti and Diavol ransomware teams, debunking Conti’s earlier pledge to victims that ransom funds would shield them from future assaults. Through digital forensics and blockchain analytics, researchers recognized vital overlaps between Karakurt intrusions and Conti re-extortions.

While Karakurt assaults can differ with respect to instruments, some notable similarities started to emerge between some Karakurt intrusions and the sooner suspected Conti-related re-extortion, together with the usage of the identical instruments for exfiltration and a singular adversary option to create and go away behind a file itemizing of exfiltrated knowledge named “file-tree.txt” within the sufferer’s atmosphere, in addition to the repeated use of the identical attacker hostname when remotely accessing victims’ networks. 

Additionally, researchers discovered examples of cryptocurrency transferring between Karakurt and Conti wallets; some Karakurt sufferer fee addresses are literally co-hosted in the identical wallets as Conti sufferer fee addresses. In one incident, Karakurt acknowledged and “warned” a sufferer that one other attacker (Conti) was current within the community. After a brief forwards and backwards, Conti took over the negotiations, leveraging the information that Karakurt had stolen. 

Map of Karakurt victim locations. 55 attacks were in the U.S., Canada had 8, and the UK had 7.

These clear connections between Karakurt and Conti, in addition to Diavol and Conti, add to the bigger image of Conti that Arctic Wolf has been in a position to paint over the past couple of months, following the Jabber leaks in February 2022. The largest takeaway for victims is that any connection between the group diminishes the worth of Conti’s “promise” to victims that they’ll not be attacked once more, ought to they pay the ransom. If Karakurt and Diavol are performing as subsidiaries or companions of Conti, accessing victims which have already paid Conti, the motivation to pay solely decreases, since there’s a non-zero likelihood an organization could also be re-victimized by one in every of Conti’s associates.

Read the full report by Arctic Wolf.

VentureBeat’s mission is to be a digital city sq. for technical decision-makers to achieve information about transformative enterprise know-how and transact. Learn extra about membership.

Source hyperlink

Leave a Reply

Your email address will not be published.