Report: Karakurt attacks linked to Conti and Diavol ransomware groups

We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!

A new report by Tetra Defense, an Arctic Wolf company, in partnership with Chainalysis and Northwave, assessed that the Karakurt extortion group is operationally linked to both the Conti and Diavol ransomware groups, debunking Conti’s previous pledge to victims that ransom payments would protect them from future attacks. Through digital forensics and blockchain analytics, researchers identified significant overlaps between Karakurt intrusions and Conti re-extortions.

While Karakurt attacks can vary with respect to tools, some notable similarities began to emerge between some Karakurt intrusions and the earlier suspected Conti-related re-extortion, including the use of the same tools for exfiltration and a unique adversary choice to create and leave behind a file listing of exfiltrated data named “file-tree.txt” in the victim’s environment, as well as the repeated use of the same attacker hostname when remotely accessing victims’ networks. 

Additionally, researchers found examples of cryptocurrency moving between Karakurt and Conti wallets; some Karakurt victim payment addresses are actually co-hosted in the same wallets as Conti victim payment addresses. In one incident, Karakurt acknowledged and “warned” a victim that another attacker (Conti) was present in the network. After a short back and forth, Conti took over the negotiations, leveraging the data that Karakurt had stolen. 

These clear connections between Karakurt and Conti, as well as Diavol and Conti, add to the larger picture of Conti that Arctic Wolf has been able to paint over the last couple of months, following the Jabber leaks in February 2022. The biggest takeaway for victims is that any connection between the organization diminishes the value of Conti’s “promise” to victims that they will not be attacked again, should they pay the ransom. If Karakurt and Diavol are acting as subsidiaries or partners of Conti, accessing victims that have already paid Conti, the incentive to pay only decreases, since there’s a non-zero chance a company may be re-victimized by one of Conti’s affiliates.

Read the full report by Arctic Wolf.

Originally appeared on: TheSpuzz