Data extortion gang Karakurt is operating a new website to auction off terabytes of stolen information. The group is using Twitter to advertise the site, and has posted 20 victims since it became operational. This is the second such site the group has set up this year.
The auction site is hosted on a regulation web server, rather than the dark web, as publicity is a key part of its extortion-only business model, with data easy to access for its clients. However this tactic is also potentially reckless, and experts say it reflects the level of impunity that criminal gangs with links to Russia have been operating with since the war in Ukraine began.
Karakurt created the new site this month, and is using an associated Twitter account to advertise the stolen data it plans to auction off. Both remain operational at the time of writing, although the gang’s Twitter has been flagged for abnormal behaviour. Victims listed include paper and pulp merchant Sappi, though the company has not confirmed whether an attack on its systems has actually taken place.
The group first created a website for selling data in January, but saw it shut down in May by law enforcement agencies. At the time, the US Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the NSA released a joint advisory, which states: “The website contained several terabytes of data purported to belong to victims across North America and Europe, along with several ‘press releases’ naming victims who had not paid or cooperated and instructions for participating in victim data “auctions.” The new site appears to have been created in its predecessor’s image.
Data extortion: a rising cybercrime business model
The group is one of many cybercrime gangs preferring to only extort its victims rather than encrypt their systems, says Lin Freedman, chair of privacy and cybersecurity at law firm Robinson and Cole in a report on extortion gangs. “The group does not encrypt data for ransom, but instead steals data, then threatens to auction it off or release it to the public with ransoms ranging from $25,000 to $13,000,000 in Bitcoin,” the report states.
While it may be risky, having a website on the so-called “clear web”, rather than the dark web, is crucial for attracting customers, says Allan Liska, computer security incident response team (CSIRT) lead at security company Recorded Future. “Not everybody has a Tor browser, so Karakurt has to have its data as accessible as possible if it’s going to be able to make any money,” he says. “In other words, if your goal is extortion. You can’t make the data difficult to get to.”
It is odd for Twitter to allow this kind of activity, continues Liska. “I wonder why Twitter is allowing this account to exist. Technically, posting stolen information about stolen data violates Twitter’s terms of service. This account should be shut down,” he says.
Indeed, the Twitter terms of service do prohibit illegal advertising, buying and selling on its platform, in its Terms of Service. “You may not use our service for any unlawful purpose or in furtherance of illegal activities,” it states. “This includes selling, buying, or facilitating transactions in illegal goods or services, as well as certain types of regulated goods or services.”
Twitter has not responded to Tech Monitor’s request for comment at the time of writing.
Karacurt and other Russian gangs feel ‘untouchable’
This sort of aggressive, illegal activity on the clear web shows how much protection these groups get from the Russian government, argues Liska.
Western law enforcement agencies appear to have a dwindling influence over cybercriminals in Russia, particularly since the beginning of the Ukraine war, he explains. “You absolutely have the geopolitical aspect of it and that is further entrenched [since the war in Ukraine began], in that Russia doesn’t want to take action against these groups. It doesn’t want to help the countries in the West that are asking for its assistance.”
Russian-speaking criminals will continue to act with impunity if Russia’s refusal to crack down on them persists, Liska says. “The members of Conti and the members of Karakurt have always operated with this sense of impunity,” he says. “They feel like they’re untouchable, and they likely are as long as they don’t leave Russia.”
He adds: “What we’re talking about here is a Russian government that refuses to take action. And there isn’t a whole lot that anybody outside of Russia can do.”
Karakurt’s links to Conti
Members of Conti, the Russian criminal gang behind the high-profile attack on Costa Rica, is in the sights of US law enforcement agencies, and last week the FBI offered $10m in exchange for information on the group’s members.
The US State Department released an image of what it believes to be the face of a well-known Conti operator known as Target. The generous bounty is also out for information on four other members known as Tramp, Dandis, Professor and Reshaev.
Researchers at security vendor Advanced Intelligence believe that Conti members moved on to work with Karakurt and other groups after the gang disbanded. “Conti had a couple of subsidiaries operating under different names: Karakurt, BlackByte, BlackBasta. The rebranded version of Conti – the monster splitting into pieces – is still very much alive,” a report from the company’s analysts says.
However, despite the amount of money on their heads or the boldness of their tactics, these cybercriminals are unlikely to be brought to justice by the US government, says Yelisey Boguslavskiy, head of research at security company Advanced Intelligence.
“I do not believe this can hasten them being caught, as they are in a jurisdiction which the Western law enforcement doesn’t have authority into,” Boguslavskiy says.
Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit NSMG.live.