US govt: Paying Karakurt extortion ransoms won’t stop data leaks

Several U.S. federal agencies warned organizations today against paying ransom demands made by the Karakurt gang since that will not prevent their stolen data from being sold to others.

Karakurt, the data extortion arm of the Conti ransomware gang and cybercrime syndicate, is focused on stealing data from companies since at least June 2021 and forcing them into paying ransoms under the threat of publishing the information online.

Within just two months, between September and November 2021, more than 40 organizations have fallen victim to Karakurt hacking attempts.

After stealing their victims' data, Karakurt demands ransoms ranging from $25,000 to $13 million worth of Bitcoin that must be paid within a week.

The extortion gang is pressing victims into paying the data extortion ransom by harassing their business partners, clients, and employees via email and phone calls prodding them to ask for negotiations to prevent data leaks.

"Although Karakurt's primary extortion leverage is a promise to delete stolen data and keep the incident confidential, some victims reported Karakurt actors did not maintain the confidentiality of victim information after a ransom was paid," the FBI, CISA, U.S. Department of Treasury, and FinCEN said in a joint advisory.

"The U.S. government strongly discourages the payment of any ransom to Karakurt threat actors, or any cyber criminals promising to delete stolen files in exchange for payments."

Also known for exaggerated claims

The federal agencies further revealed that the Conti extortion arm is also known for often exaggerating the amount and value of the data they've stolen from victims' networks.

In some cases, Karakurt has even claimed to have stolen more data than their victims' servers could store.

"Karakurt actors have also exaggerated the degree to which a victim had been compromised and the value of data stolen," the agencies added.

"For example, in some instances, Karakurt actors claimed to steal volumes of data far beyond the storage capacity of compromised systems or claimed to steal data that did not belong to the victim."

Today's joint advisory also comes with detailed information on the tactics used by Karakurt operators during all attack stages, indicators of compromise, and mitigation measures to prevent or block their hacking attempts.

The U.S. federal agencies also shared a shortlist of actions that all organizations should take to mitigate ransomware threats, including prioritizing patches for security flaws exploited in the wild, training users to recognize and report phishing attacks, and enforcing multi-factor authentication (MFA).