GOLD TOMAHAWK

GOLD TOMAHAWK, also known as Karakurt, Karakurt Lair or Karakurt Team, is a financially motivated cybercrime group that steals data before demanding payment from victims by threatening its publication. The group relies exclusively on data theft to extort victims; GOLD TOMAHAWK does not deploy ransomware to encrypt files and systems.

The group exploits vulnerabilities or weak credentials in SonicWall or Fortigate virtual private networks (VPN) to gain initial access. GOLD TOMAHAWK does not deploy custom tools or malware in its intrusions. Once inside the network, it uses off-the-shelf tools and applications, often native to the victim system, to meet its objectives. The group uses remote desktop protocol (RDP) for lateral movement and has been observed using AnyDesk for remote access, as well as the Cobalt Strike offensive security tool. GOLD TOMAHAWK uses 7-Zip to compress data for extraction and the Mega and QuickPacket file-upload services for exfiltration.

Ransom notes are generally delivered by email, although compromised internal Microsoft Teams accounts have also been used in delivery. Unusually for ransomware or extortion groups, GOLD TOMAHAWK seems to rely heavily on conventional social media services in its infrastructure, and maintains a number of accounts on popular platforms, including Twitter and Facebook. The group has been observed using Facebook messenger to communicate with victims to add pressure in ransom negotiations.