A warning has been issued by the Department of Health and Human Services’ Hea;tj Sector Cybersecurity Coordination Center (HC3) to advise healthcare organizations about a ransom threat group called Karakurt. The group of cybercriminals has been known to operate several hacking and exploitive attacks on the healthcare sector. The attacks delivered by Karakurt are similar to ransomware, however, instead of encrypting data, the group claim personal data and auction it off or release it to the public unless a payment is sent by the victim.
The Karakurt ransomware gang were first identified in late 2021 and have delivered attacks on at least four healthcare organizations, a healthcare provider, a dental firm, an assisted living facility, and a hospital.The HC3 has not identified these organizations, however, Karakurt has listed the Methodist Mckinny Hospital as a victim on its data leak site.
The attack conducted on the Methodist Mckinny Hospital was a typical type of attack made by Karakurt. The group had gained access to the hospital’s systems, searched for valuable information, removed the data, and then demanded a ransom to prevent the release of the information. Karakurt are known to extensively harass organizations during the attacks, which includes attacking business partners, employees, and clients through email and phone calls to pressure the organization to pay the ransom. Emails often contain stolen information such as Social Security numbers, payment accounts, and sensitive business information.
Hackers primarily gain access to victim’s networks by purchasing stolen credentials from members of the cybercrime community or purchasing access to infiltrated networks via initial access brokers. Access may also be achieved through phishing attacks or exploitation of Remote Desktop Protocols.
Once the attackers have gained access to the victims’ networks, they use Cobalt Strike beacons to identify the different networks, use Mimikatz to acquire credentials and AnyDesk software to establish continual remote control. Hackers may take up to 2 months to identify valuable data within the files. The data is then exfiltrated using open source applications and File Transfer Protocol services. Up to 1 terabyte of data may be exfiltrated in these attacks.
Significant ransom demands can be issued by ransomware gangs. Demands have previously ranged from $25,000 to $13,000,000.Once the ransom is paid, members of Karakurt typically provide proof of deletion of files and a brief statement detailing how the group gained access to the organization’s networks.