Breach Monitoring News Feed

Karakurt is a financially motivated cybercrime group first publicly identified in June 2021, specializing in data extortion without file encryption. Instead of deploying ransomware to lock systems, Karakurt focuses on gaining access to victim networks, exfiltrating sensitive data, and threatening to leak it on its Tor-based site unless payment is made. The group has targeted victims across North America and Europe in industries including healthcare, manufacturing, education, and professional services. Intrusion methods include phishing, exploitation of vulnerabilities, and purchasing access from initial access brokers. Karakurt’s leak site lists stolen files in stages to pressure victims, sometimes publishing entire data sets if ransoms are not paid. The group is believed to have operational links to the Conti ransomware syndicate, based on shared infrastructure, overlapping victimology, and timing of activity.

Karma is a ransomware group first observed in November 2021, operating a double-extortion model that combines data theft with encryption. The group primarily targets enterprises across various sectors, including healthcare, manufacturing, and technology, with confirmed victims in North America, Europe, and Asia. Karma is believed to be a rebrand or evolution of the FiveHands ransomware, itself derived from the earlier HelloKitty codebase, based on overlaps in encryption methods and ransom portal design. The ransomware appends the .KARMA extension to encrypted files and leaves ransom notes named KARMA-README.txt, directing victims to a Tor-based negotiation site. Initial access is typically obtained through compromised VPN credentials, exploitation of vulnerabilities in public-facing systems, and use of access brokers. Unlike some groups, Karma operators claim to avoid encrypting systems in healthcare emergency services, instead focusing on exfiltration and extortion.

Kasseika is a ransomware variant first publicly reported in January 2024, identified as a new evolution of the BlackMatter/LockBit ransomware codebase. The malware appends the .kasseika extension to encrypted files and uses a double-extortion model, combining file encryption with threats to publish stolen data on a Tor-based leak site. Early analysis revealed that Kasseika shares several traits with LockBit 3.0, including encryption routines, obfuscation methods, and ransom note structure, but with modified branding and negotiation portals. Initial access vectors have not been widely confirmed, though patterns from related ransomware suggest the use of compromised credentials, RDP exploitation, and vulnerabilities in public-facing services. Victims have been observed in North America, Europe, and Asia, spanning industries like manufacturing, logistics, and professional services.

Kelvin Security is a cybercrime group active since at least 2013, primarily known for hacktivism, data breaches, and website defacements rather than traditional ransomware operations. The group has claimed responsibility for intrusions targeting government agencies, educational institutions, and private companies across multiple regions, including Latin America, Europe, and the Middle East. While it has engaged in data theft and leak threats, there is no confirmed evidence that Kelvin Security operates a ransomware encryption component. Instead, their extortion model focuses on stealing sensitive data and threatening public disclosure, often publicizing breaches via social media and underground forums. The group’s activities have been linked to politically motivated campaigns as well as financially motivated breaches. Victim selection appears opportunistic, exploiting vulnerabilities in web servers, poorly configured databases, and exposed credentials.

Knight is a Ransomware-as-a-Service (RaaS) operation first observed in August 2023, believed to be a rebrand or evolution of the Cyclops ransomware family. The ransomware targets both Windows and Linux/ESXi systems, encrypting files with strong symmetric and asymmetric cryptography and appending the .knight extension. Knight affiliates employ a double-extortion model, stealing sensitive data before encryption and threatening to leak it via a Tor-based site. Distribution methods include phishing campaigns delivering malicious attachments, exploitation of vulnerabilities in public-facing services, and use of previously compromised credentials. The ransomware is modular, allowing affiliates to deploy only the components needed for a given environment, and has been used in attacks on healthcare, manufacturing, finance, and technology sectors across North America, Europe, and Asia. Knight’s leak site lists victims with partial data dumps to pressure payment, escalating to full leaks if negotiations fail.