The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has released an alert to the Healthcare and Public Health Sector (HPH) regarding a fairly new ransom threat group named Karakurt, which is identified to have performed hacking and extortion attacks on the HPH industry. These cyberattacks are much like attacks carried out by ransomware groups, however, the group does not encrypt data. It only steals information and demands a ransom payment to keep it from being publicized. The group is believed to be a Conti ransomware gang breakaway or has connections with the high-profile ransomware group.
Karakurt, also known as Karakurt Team/Karakurt Lair, had its first attacks at the end of 2021 and is recognized to have performed attacks on a minimum of four companies in the HPH sector: A hospital, assisted living facility, dental company, and healthcare provider. HC3 didn’t make known the names of the healthcare providers that were targeted to date. One is Methodist McKinney Hospital based in Texas. The hospital discovered the attack in June and it was confirmed that files with sensitive patient data was exfiltrated during the attack. Karakurt is threatening the hospital that it will publish 367 GB of stolen data if no ransom is paid.
That attack is consistent with the tactic of the group, which acquires access to systems, looks for important information, extracts the information, and then gives a ransom demand together with threats to publish the data if there’s no ransom payment. Those strategies are currently prevalent with ransomware groups, however, Karakurt victims have claimed considerable harassment subsequent to the attacks. Besides pressuring the victim to give a ransom, the group likewise harasses business associates, staff members, and clients through email and telephone calls to pile more pressure on the victim to pay or the data will be released to the public. Examples of stolen information are usually mailed as “proof of life” to prove there was data theft. The group demands huge ransom – from $25,000 to $13,000,000 in Bitcoin.
After gaining access to victims’ systems, the Karakurt threat actors use Cobalt Strike beacons to enumerate the system, Mimikatz to acquire credentials, and AnyDesk software to obtain persistent remote control. Situation-dependent applications are employed for lateral movement and privilege escalation. The threat actors spend time scanning and performing reconnaissance, with a dwell time of around 2 months. Upon identification of data, 7zip is employed to compress files that are extracted to cloud storage services like rclone and Mega.nz utilizing open source programs and File Transfer Protocol (FTP) services like Filezilla. In a number of the attacks, big volumes of information were stolen, which include entire network-connected shared drives in volumes over 1 TB.
Preliminary access to victims’ systems is mainly acquired by buying stolen credentials from associates in the cybercrime group and purchasing access to breached systems from initial access brokers. Vulnerabilities are likewise taken advantage of, phishing has been utilized, and Remote Desktop Protocol taken advantage of.
Read about the Indicators of Compromise and mitigations in the HC3 alert.