Sikov - stock.adobe.com

HC3 Warns Healthcare Sector of Karakurt Ransomware Group

Since June, Karakurt ransomware group has executed at least four cyberattacks against US healthcare organizations.

The HHS Health Sector Cybersecurity Coordination Center (HC3) alerted the healthcare sector to the rising prominence of Karakurt ransomware group. The group has claimed responsibility for at least four cyberattacks against US healthcare organizations.

The attacks impacted a dental firm, an assisted living facility, a provider, and a hospital. The healthcare sector should remain on high alert and look out for any indicators of compromise.

Karakurt threat actors typically conduct scanning, reconnaissance, and collection on its targets for about two months, open-source reporting indicates. The group then attempts to gain access to files containing sensitive information, such as Social Security numbers, medical history, treatment information, and medical record numbers. In typical ransomware fashion, the group holds the information and threatens its victims until they pay.

Karakurt has been observed obtaining access to victim devices by purchasing stolen login credentials or by buying access to already-compromised victims through third-party intrusion broker networks.

The group is known it exploit a variety of intrusion vulnerabilities to obtain initial access, including outdated SonicWall SSL VPN appliances, Log4Shell, outdated Microsoft Windows Server instances, and outdated Fortinet FortiGate SSL VPN appliances.

After obtaining access, Karakurt threat actors have been known to “deploy Cobalt Strike beacons to enumerate a network, install Mimikatz to pull plain-text credentials, use AnyDesk to obtain persistent remote control, and utilize additional situation-dependent tools to elevate privileges and move laterally within a network,” HC3 stated.

Next, the threat actors typically compress and exfiltrate data and deliver a ransom note to victims via emails sent over compromised email networks or from external email accounts.

“Karakurt victims have reported extensive harassment campaigns by Karakurt actors in which employees, business partners, and clients receive numerous emails and phone calls warning the recipients to encourage the victims to negotiate with the actors to prevent the dissemination of victim data,” HC3 continued.

“These communications often included samples of stolen data—primarily personally identifiable information (PII), such as employment records, health records, and financial business records. Victims who negotiate with Karakurt actors receive a ‘proof of life’—such as screenshots—showing file trees of allegedly stolen data or, in some cases, actual copies of stolen files.”

In an alert released in June, the Cybersecurity and Infrastructure Security Agency (CISA) urged organizations to implement a recovery plan, employ network segmentation, regularly back up data, and install updated antivirus software.

Organizations should also disable unused ports, install appropriate patches, enforce multi-factor authentication, and use National Institute of Standards and Technology (NIST) standards for creating secure passwords.

Editor's note: A former version of this article incorrectly referred to NIST as the National Institute for Standards and Technology. NIST stands for the National Insitute of Standards and Technology. 

Next Steps

Dig Deeper on Cybersecurity strategies