Ransomware Continues to Morph
The FBI, CISA, Treasury and FinCEN put out a new alert about a hacking group with a different tactic. While this has been done in the past, it has not been done at scale.
The group, Karakurt, does not encrypt your data. Instead they just steal it.
What they do after that is give the hacked companies a week and if they don’t pay the ransom, they threaten to auction it or publish it. Their demands have ranged from $25,000 to $13,000,000.
To confirm that they have stolen the data, they provide screenshots or directory listings.
In addition to simplifying their business model by not encrypting the data and therefore, not having to write code to encrypt and decrypt or manage encryption keys, they also don’t hack web sites.
Instead, they just buy stolen credentials via a variety of techniques.
They also use intrusion broker networks who know things like who is running vulnerable Sonicwall firewalls or outdated Log4j libraries.
They also try to steal as much data as they can, as a result they are less stealthy than some players.
But then they keep the pressure up.
They send harassing emails to employees and business partners, making the hack as noisy as possible. This encourages the company that was hacked to pay up, just to make the noise go away. They even make threatening phone calls to employees, business partners and clients.
Needless to say, backups are a useless defense to this type of attack.