By breaking into an attack server, security researchers have uncovered new details that show the connection between the Karakurt group and Conti ransomware.

It’s not every day that you hear about the good guys hacking into cybercriminal servers, gaining access to credentials, and having a look around to see how things work on the inside. But that’s what security researchers at Arctic Wolf were able to do as part of a response to a Conti ransomware attack last year that incurred a second attack using the same backdoor to gain entry. As you’d expect, the Conti attack left data encrypted. But the second attack was a pure data theft and extortion attack.

The researchers were able to gain access to a Conti-owned ProtonMail account, credentials, and access to a Conti virtual private server, discovering over 20 TB of data. Additionally, Arctic Wolf uncovered some interesting findings connecting the two organizations together:

  • Payments between cryptocurrency wallets managed by the two organizations
  • Several accounts of Conti victims also paying Karakurt at a later time

The article is an interesting read, showing how Conti may be extending their business model to include regularly selling off access to Karakurt to attempt a data extortion attack.

Conti is known for using phishing as the initial attack vector. And with the possibility of this double attack scenario, it becomes all that much more critical that the Conti attack be stopped before it starts. Adding Security Awareness Training to your phishing prevention strategy engages the employee to play a part in spotting and reporting any phishing emails that get passed security solutions to the Inbox, lowering the risk of initial attack success.