Report: Karakurt attacks linked to Conti and Diavol ransomware groups


We’re excited to bring Transform 2022 back in person on July 19 and pretty much July 20-28. Join AI and data leaders for insightful conversations and exciting networking opportunities. Register today!

A new report from Tetra Defensea Arctic Wolf company, in collaboration with chain analysis and Northwave, ruled that the Karakurt extortion group is operationally linked to both the Conti and Diavol ransomware groups, disproving Conti’s previous promise to victims that ransom payments would protect them from future attacks. Through digital forensics and blockchain analysis, researchers identified significant overlaps between Karakurt intrusions and Conti-re extortions.

While Karakurt attacks can differ regarding tools, some notable similarities started to emerge between some Karakurt intrusions and the previously suspected Conti-related re-extortion, including using the same tools for exfiltration and a unique choice of the adversary to creating and leaving a file list of exfiltrated data called “file-tree.txt” in the victim’s environment, as well as repeatedly using the same attacker’s hostname when remotely accessing victims’ networks.

In addition, researchers found examples of cryptocurrency moving between Karakurt and Conti wallets; some payment addresses of Karakurt victims are in fact hosted together in the same wallets as the payment addresses of Conti victims. In one incident, Karakurt acknowledged and “warned” a victim that another attacker (Conti) was present in the network. After a brief back-and-forth, Conti took over the negotiations, using the data Karakurt had stolen.

These clear connections between Karakurt and Conti, as well as Diavol and Conti, add to the bigger picture of Conti that Arctic Wolf has been able to paint in recent months, after the Jabber leaks in February 2022† The main benefit for the victims is that any connection between the organization reduces the value of Conti’s “promise” to the victims that they will not be attacked again if they pay the ransom. If Karakurt and Diavol act as subsidiaries or partners of Conti and have access to victims who have already paid Conti, the incentive to pay only diminishes as there is a non-zero chance of a company falling victim to one of Conti’s affiliates again companies.

Read the full report by Arctic Wolf.

VentureBeat’s mission is to be a digital city square for tech decision makers to learn about transformative business technology and transactions. Learn more about membership.

Leave a Reply

Your email address will not be published.