GOLD TOMAHAWK

GOLD TOMAHAWK, also known as Karakurt, Karakurt Lair or Karakurt Team, is a financially motivated cybercrime group that steals data before demanding payment from victims by threatening its publication. The group relies exclusively on data theft to extort victims; GOLD TOMAHAWK does not deploy ransomware to encrypt files and systems. CTU researchers assess with moderate confidence that GOLD TOMAHAWK is an associate of GOLD ULRICK but operates as an autonomous group.

The group posted its first victim name to the Karakurt leak site in November 2021 and were particularly active in 2022. However, activity tailed off through 2023 and GOLD TOMAHAWK listed their last victim on the leak site in September of that year. In December 2023, a Latvian individual and resident of Moscow, Russia, was arrested in Georgia and later extradited to the U.S. where he was subsequently charged with extortion, wire fraud and money laundering offences. It is not known if other members of this group continue to conduct cybercriminal activity under a different guise, although it is possible that some went on to act as affiliates of other data theft extortion operations.

Karakurt operations were characterised by the exploitation of vulnerabilities or weak credentials in SonicWall or FortiGate virtual private networks (VPN) to gain initial access. GOLD TOMAHAWK did not deploy custom tools or malware in its intrusions. Once inside the network, it used off-the-shelf tools and applications, often native to the victim system, to meet its objectives. The group used remote desktop protocol (RDP) for lateral movement and was observed using AnyDesk for remote access. GOLD TOMAHAWK used 7-Zip to compress data for extraction and for data exfiltration used a range of tools and services including the Rclone file transfer application and the file-upload services Mega, QuickPacket, SendGB, put.io and qaz.im.

Ransom notes were generally delivered by email, although compromised internal Microsoft Teams accounts were also used in delivery. Unusually for ransomware or extortion groups, GOLD TOMAHAWK relied heavily on conventional social media services in its infrastructure, and maintained a number of accounts on popular platforms, including Twitter and Facebook. The group was also observed using Facebook messenger to communicate with victims to add pressure in ransom negotiations.