APT / THREAT GROUP
Karakurt
2
aliases
Last seen:Mar 17, 2026
Intelligence Profile
Karakurt actors have employed a variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation. Karakurt victims have not reported encryption of compromised machines or files; rather, Karakurt actors have claimed to steal data and threatened to auction it off or release it to the public unless they receive payment of the demanded ransom. Known ransom demands have ranged from $25,000 to $13,000,000 in Bitcoin, with payment deadlines typically set to expire within a week of first contact with the victim.
Threat Analysis
Karakurt is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.
Intelligence Reports Mentioning Karakurt
The Good, the Bad and the Ugly in Cybersecurity – Week 19
SentinelOne Blog· May 8, 2026
Karakurt Ransomware Negotiator Sentenced to Prison
SecurityWeek· May 5, 2026
Karakurt extortion gang ‘cold case’ negotiator gets 8.5 years in prison
BleepingComputer· May 5, 2026
External References
Quick Facts
TypeAPT / Threat Group
Aliases2
SourceMalpedia
Also Known As
KarakurtKarakurt Lair
Research Links
Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.