Chris Swagler | April 20th, 2022

Researchers discovered financial and technological connections between the Karakurt cybercriminal group and two high-profile ransomware actors, Conti and Diavol, indicating a shift in business operations that expands their opportunities to target more victims. Researchers utilized forensics-based threat intel and blockchain analysis to discover that the two ransomware groups, thought to be operating independently, have become part of the evolving Karakurt web. The connection between Karakurt and Conti is strong, with the former working off the latter’s resources. Whether Karakurt is an elaborate side hustle by Conti and Diavol operators or a sanctioned enterprise by the overall organization remains to be seen. The connection, however, helps explain why Karakurt is surviving and thriving even though some exfiltration-only competitors have died out.

The findings are significant as the connections appear to show Karakurt endorsing ransomware, which was not the case when it was first discovered. The group, named after a venomous spider from eastern Europe and Siberia, began by focusing solely on data exfiltration and subsequent extortion rather than ransomware, allowing it to move quickly. In its first few months of operation, Karakurt accumulated 40 victims, 95% of which were in North America. Researchers explain that Karakurt is now expanding its horizons; however, the move appears to also benefit Conti, which represents a tactical shift.

According to the research report, Conti previously operated on a “standard pledge” to its victims: they will not be targeted for future attacks if they pay the desired ransom. Contrary to this pledge, a cybersecurity company discovered the connection between Karakurt and Conti from a client claiming to have been the target of another extortion attempt after falling victim to Conti and paying the ransom. The second attempt came from an unknown group that stole data without using encryption, which is Karakurt’s modus operandi. Karakurt does not typically delete the data it steals, contradicting Conti’s promise to victims. The client incident occurred when Conti was dealing with disgruntled affiliates who wanted more money, one who turned on the group by leaking Conti’s playbook and training materials. Researchers theorized that collaborating would have been mutually beneficial for both cybercriminal groups, and discovered financial, technological, and other evidence of the connection.

On the technological side, researchers discovered similarities between Karakurt and Conti by developing a dataset of Karakurt intrusions, of which they had already discovered more than a dozen. Even though Karakurt attacks can vary when it comes to tools, some overlaps began to appear between some Karakurt intrusions and the earlier suspected Conti-related re-extortion. These overlaps included the use of Fortinet SSL VPNs for initial entry, the use of the same tools for exfiltration, a unique adversary choice to develop and leave behind a file listing of exfiltrated data named “file-tree.txt” in the victims’ environment, and the use of the same threat operator hostname when remotely accessing victims’ networks.

Blockchain analysis offered early indications of Karakurt’s connections to Conti ransomware since the relevant transactions pre-dating the finding of similarities in Karakurt and Conti’s software and attack strategy. Dozens of cryptocurrency addresses belonged to Karakurt that were spread across multiple wallets with victims paying a range of $45,000 up to $1 million. Researchers noticed quickly Karakurt wallets were transmitting large sums of cryptocurrency to Conti wallets. Both Conti and Karakurt victim payment addresses shared wallet hosting, leaving no doubt that Conti and Karakurt are deployed by the same individual or group.

Additionally, researchers discovered that Karakurt and the Diavol ransomware group, which have been associated with the dangerous and widely used trojan TrickBot, shared tools and infrastructure. According to researchers, leaks from Jabber chats between February and March 2022 indicated that Karakurt and Diavol operators shared attacker infrastructure at the same time. Blockchain analysis proved Diavol’s relationship to Karakurt and Conti, revealing that the Conti wallet hosts the Diavol and Karakurt extortion addresses. The common address ownership confirms with almost certainty that Diavol is deployed by the same actors behind Conti and Karakurt.

With the recent emergence of cybercriminals like Karakurt working together with high-profile ransomware groups like Conti and Diavol to expand their victim target range, it’s more critical for companies to remain vigilant on the current threat landscape, keep offline data backups, and regularly update network security software. You can trust SpearTip’s certified engineers and their abilities to quickly respond to data breaches and ransomware incidents with one of the fastest response times in the industry and reclaim companies’ networks and restore their operations. Our engineers are continuously working 24/7/365 at our Security Operations Centers monitoring networks for potential ransomware threats like Conti and Diavol. Our ShadowSpear Platform delivers a cloud-based solution collecting endpoint logs and detects sophisticated unknown and advanced threats with comprehensive insights unparalleled data normalization and visualizations.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.