Researchers on Friday reported they have a “high degree of confidence” that the cyber extortion group Karakurt is operationally linked to both the Conti and Diavol ransomware groups, acting as an exfiltration arm of the ransomware organizations.
In a blog post, researchers from Arctic Wolf Networks said since its first attacks in August 2021, Karakurt has victimized organizations in a number of industries in at least eight countries.
The researchers say these connections debunk the Conti group’s standard pledge to victims that paying the ransom will keep them safe from future attacks. Paying a ransom also does not result in Karakut deleting data, say the researchers.
In conducting the in-depth research Tetra Defense, an Arctic Wolf company, partnered with Chainalysis and Northwave to analyze the link between the Karakurt group to Conti and Diavol ransomware through Tetra’s digital forensics and Chainalysis’ blockchain analytics, which analyzed Karakurt’s cryptocurrency transactions.
The researchers say as recent leaks have revealed, Conti and Trickbot are complicated operations with sophisticated structures. However, the findings by Arctic Wolf indicate that the connection is even wider than originally thought to include additional exfiltration-only operations.
It should come as little surprise that a ransomware group might be less than honest when it comes to promises of deleting victim data, said John Bambenek, principal threat hunter at Netenrich. Bambenek said there’s simply no way to confirm if they did or figure out after the fact whether they sold the data to another party.
“Cryptocurrency has been a godsend for researchers in the insights that it lets us find on criminal operators,” Bambenek said. “Instead of having to bribe bankers, we can simply follow the money while sitting in our pajamas on the couch.”
Matt Johnson, director of security at SimSpace, added that ransomware and malware-as-a-service has been a long-standing model for many of the threat agents out there. Johnson said they end up having affiliate programs for revenue (extortion payment) share for licensing of the malware.
“From REViL to Conti and even Haskers giving away ZingoStealer, many of the exploit developers work through networks to distance themselves from the deployments and only offer the ‘software’ to the actors themselves,” Johnson explained. “Much like traditional businesses, these threat networks are weighing their risk appetite by distancing themselves from the actual hacks, but instead provide the ‘enabling’ technologies for the attacks."
Mike Parkin, senior technical engineer at Vulcan Cyber, said cybercriminal groups range from amateurs trying to make a quick buck, to criminal organizations as well organized as the best-known crime syndicates, to state and state-sponsored threats actors who have a main agenda other than simple crime. Parkin added that it gets even further complicated when these groups frequently merge, splinter, cooperate, or rebrand.
“Security professionals have been saying for years that it’s a bad idea to trust an attacker’s promise that they will send an encryption key, not sell the data even if you pay the ransom, or not attack again,” Parkin said. “These are criminal organizations. It’s not like breaking a promise to a victim is going to ruin their reputation.”