Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.


A new report by Tetra Defense, an Arctic Wolf company, in partnership with Chainalysis and Northwave, assessed that the Karakurt extortion group is operationally linked to both the Conti and Diavol ransomware groups, debunking Conti’s previous pledge to victims that ransom payments would protect them from future attacks. Through digital forensics and blockchain analytics, researchers identified significant overlaps between Karakurt intrusions and Conti re-extortions.

While Karakurt attacks can vary with respect to tools, some notable similarities began to emerge between some Karakurt intrusions and the earlier suspected Conti-related re-extortion, including the use of the same tools for exfiltration and a unique adversary choice to create and leave behind a file listing of exfiltrated data named “file-tree.txt” in the victim’s environment, as well as the repeated use of the same attacker hostname when remotely accessing victims’ networks. 

Additionally, researchers found examples of cryptocurrency moving between Karakurt and Conti wallets; some Karakurt victim payment addresses are actually co-hosted in the same wallets as Conti victim payment addresses. In one incident, Karakurt acknowledged and “warned” a victim that another attacker (Conti) was present in the network. After a short back and forth, Conti took over the negotiations, leveraging the data that Karakurt had stolen. 

Map of Karakurt victim locations. 55 attacks were in the U.S., Canada had 8, and the UK had 7.

These clear connections between Karakurt and Conti, as well as Diavol and Conti, add to the larger picture of Conti that Arctic Wolf has been able to paint over the last couple of months, following the Jabber leaks in February 2022. The biggest takeaway for victims is that any connection between the organization diminishes the value of Conti’s “promise” to victims that they will not be attacked again, should they pay the ransom. If Karakurt and Diavol are acting as subsidiaries or partners of Conti, accessing victims that have already paid Conti, the incentive to pay only decreases, since there’s a non-zero chance a company may be re-victimized by one of Conti’s affiliates.

Event

MetaBeat 2022

MetaBeat will bring together thought leaders to give guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.

Register Here

Read the full report by Arctic Wolf.

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.