Karakurt - the extortion group that skips encryption
Karakurt - analysis of the cybercriminal group specializing in data exfiltration and extortion without encryption. VPN/RDP attack vectors, double extortion tactics, MITRE ATT&CK mapping.
Imagine this scenario: an incident response team is called to an organization that received a ransom demand. A classic ransomware case - except no file has been encrypted. Systems are running normally, backups are intact, production continues without interruption. The only thing that changed is that terabytes of confidential data - client contracts, financial records, HR documentation, executive correspondence - have been copied and now reside on servers controlled by a group threatening to publish them.
This is Karakurt. A group that abandoned encryption - the loudest and most recognizable element of traditional ransomware - and bet entirely on data theft and extortion.
Operational model
Karakurt (also known as Karakurt Team, Karakurt Lair) is a cybercriminal group active since at least June 2021. The FBI, CISA, Treasury Department, and FinCEN issued a joint advisory about its activity in June 2022.
What distinguishes Karakurt from ransomware groups is the deliberate decision to forgo encryption:
| Feature | Traditional ransomware | Karakurt |
|---|---|---|
| File encryption | Yes | No |
| Data exfiltration | Optional (double extortion) | Always - the only leverage |
| Operational impact | Immediate - systems down | Minimal - systems run normally |
| Victim detection | Obvious (encrypted files) | Often only after attacker contact |
| Ransom demands | $200K - $20M+ | $25K - $13M |
| Time pressure | Dual (data recovery + leak) | Single (data leak) |
Why skipping encryption makes sense
From the attacker’s perspective, omitting encryption offers several advantages:
- Lower detection risk - encrypting hundreds of thousands of files generates unusual I/O patterns that EDR systems can detect. Copying files over the network is far harder to distinguish from normal activity
- Faster operations - exfiltration does not require deploying malware to every workstation
- No failure risk - flawed encryption means lost leverage. Karakurt avoids this problem entirely
- Simpler negotiations - the victim retains data access, so there is no pressure for rapid system recovery, but leaking confidential data can be more destructive than downtime
Entry vectors
Analysis of Karakurt incidents reveals a recurring initial access pattern:
VPN and RDP (T1133, T1021.001)
The primary vector. Karakurt leverages:
- Stolen credentials - purchased on darknet markets (access brokers) or obtained from previous breaches
- VPN device vulnerabilities - particularly Fortinet FortiGate, Cisco AnyConnect, Pulse Secure
- RDP brute-force - internet-exposed Remote Desktop services without MFA
WARNING
CISA confirms that in most cases Karakurt gains access through purchased credentials or exploitation of known vulnerabilities. Organizations that have not implemented MFA on VPN and RDP, as well as those that do not update VPN appliances, face elevated risk.
Spearphishing (T1566)
Targeted email messages with malicious attachments or links, leading to installation of Cobalt Strike or another remote access tool.
Log4j and other vulnerability exploitation (T1190)
Karakurt actively exploits known vulnerabilities in internet-facing applications, including the critical Log4Shell vulnerability (CVE-2021-44228).
Attack chain
After gaining initial access, Karakurt follows a typical sequence:
Phase 1: Reconnaissance and escalation (1-3 days)
- Network Discovery (T1046, T1018) - scanning for network shares, file servers, databases
- Account Discovery (T1087) - AD account enumeration, administrator identification
- Credential Dumping (T1003) - Mimikatz, Cobalt Strike for credential extraction
- Privilege Escalation (T1068) - obtaining Domain Admin privileges
Phase 2: Data identification (2-5 days)
Karakurt invests time identifying the most valuable data:
- Client and partner contracts
- Financial data (statements, budgets, forecasts)
- Employee and client personal data
- Executive and management correspondence
- Intellectual property (source code, patents, R&D documentation)
- Legal documentation (lawsuits, settlements, legal opinions)
Phase 3: Exfiltration (3-10 days)
Data is copied from the victim’s network to Karakurt-controlled servers:
| Tool | Purpose |
|---|---|
| Rclone | Cloud synchronization (Mega.nz, cloud storage) |
| FileZilla | FTP/SFTP transfer to C2 servers |
| 7-Zip | Data compression before exfiltration |
| WinSCP | File transfer via SSH |
| Cobalt Strike | Extraction through C2 tunnel |
TIP
Exfiltration of large data volumes (tens of TB) generates network traffic anomalies - unusually high outbound traffic, connections to new external IP addresses, transfers during off-hours. Outbound traffic monitoring with baseline deviation alerting is one of the most effective Karakurt detection mechanisms.
Phase 4: Extortion
After completing exfiltration, Karakurt contacts the victim:
- Email to executives - message informing of data theft with samples as proof
- Phone calls to employees - direct calls to pressure management
- Contact with the victim’s business partners - informing clients and contractors about the leak
- Karakurt Lair site - Tor-based portal where non-paying victims’ data is published
Links to Conti
Analysts from Arctic Wolf and CISA identified connections between Karakurt and the Conti ecosystem - one of the largest ransomware groups, which ceased operations in 2022. Indicators include:
- Shared infrastructure (overlap in C2 servers and cryptocurrency wallets)
- Use of identical tools and techniques (Cobalt Strike with matching configurations)
- Karakurt activity overlapping temporally with Conti operations
- Conti victims who paid ransom and were subsequently extorted by Karakurt
This suggests Karakurt may be a specialized division of the Conti ecosystem responsible for monetizing stolen data - regardless of whether the victim paid a decryption ransom.
Defense against Karakurt
Since Karakurt does not encrypt data, the traditional “backups protect against ransomware” approach does not work. Defense must focus on:
Preventing entry:
- MFA on all remote access points (VPN, RDP, webmail)
- Updating VPN appliances (especially Fortinet, Pulse Secure)
- Disabling internet-facing RDP or restricting to jump servers
- Darknet monitoring for stolen organizational credentials
Preventing exfiltration:
- Data Loss Prevention (DLP) on critical assets
- Outbound traffic monitoring - alerting on large transfers to unknown addresses
- Network segmentation - restricting access to sensitive resources
- Blocking unauthorized file transfer tools (Rclone, FileZilla on user workstations)
Incident readiness:
- Incident response plan covering data extortion scenarios (not only ransomware)
- Sensitive data inventory - knowing what can be stolen
- Crisis communication procedures (media, clients, regulators)
- Relationship with a law firm specializing in security incidents
TIP
Karakurt defense checklist:
- MFA on VPN, RDP, and all remote access services
- VPN appliance firmware updated to latest versions
- Monitoring unusual outbound traffic (volume, destination, timing)
- Blocking Rclone, FileZilla, WinSCP on endpoints (if unused)
- Privilege restriction - least privilege for network share access
- Regular penetration testing with data exfiltration simulation
- Incident response plan including data extortion scenarios
SEQRED conducts red teaming exercises that include data extortion scenario simulation, and helps organizations build incident response capabilities - including scenarios where data has been stolen but systems remain operational.
Sources
Need help in this area?
Our experts will help you assess the risk and plan next steps.