Report: Karakurt attacks linked to Conti and Diavol ransomware groups

We’re excited to bring Transform 2022 back in person on July 19 and pretty much July 20-28. Join AI and data leaders for insightful conversations and exciting networking opportunities. Register today!

A new report from Tetra Defense, an Arctic Wolf company, in conjunction with Chainalysis and Northwave, found that the Karakurt extortion group is operationally linked to both the Conti and Diavol ransomware groups, furthering Conti’s earlier promise to victims. debunked that ransom would protect them from future attacks. Through digital forensics and blockchain analysis, researchers identified significant overlaps between Karakurt intrusions and Conti-re extortions.

While Karakurt attacks can differ regarding tools, some notable similarities started to emerge between some Karakurt intrusions and the previously suspected Conti-related re-extortion, including using the same tools for exfiltration and a unique opponent’s choice to creating and leaving a file list of exfiltrated data called “file-tree.txt” in the victim’s environment, as well as repeatedly using the same attacker’s hostname when remotely accessing victims’ networks.

In addition, researchers found examples of cryptocurrency moving between Karakurt and Conti wallets; some payment addresses of Karakurt victims are in fact hosted together in the same wallets as the payment addresses of Conti victims. In one incident, Karakurt acknowledged and “warned” a victim that another attacker (Conti) was present in the network. After a brief back-and-forth, Conti took over the negotiations, using the data Karakurt had stolen.

Map of Karakurt Victim Locations.  55 attacks were in the US, Canada had 8 and the UK had 7.

These clear connections between Karakurt and Conti, as well as Diavol and Conti, add to the bigger picture of Conti that Arctic Wolf has been able to paint in recent months, following the February 2022 Jabber leaks. The biggest takeaway for victims is that any connection between the organization diminishes the value of Conti’s “promise” to victims that they will not be attacked again if they pay the ransom. If Karakurt and Diavol act as subsidiaries or partners of Conti and have access to victims who have already paid Conti, the incentive to pay only diminishes as there is a non-zero chance of a company falling victim to one of Conti’s affiliates again companies.

Read Arctic Wolf’s full report.

VentureBeat’s mission is to be a digital city square for tech decision makers to learn about transformative business technology and transactions. Learn more about membership.

This post Report: Karakurt attacks linked to Conti and Diavol ransomware groups

was original published at “https://venturebeat.com/2022/04/21/report-karakurt-attacks-linked-to-conti-and-diavol-ransomware-groups/”