The Karakurt ransomware group has attacked at least four health sector organizations in the last three months, a Department of Health and Human Services alert warned. (Photo by Alex Wong/Getty Images)

Provider organizations are being warned to be on the alert for cyberattacks levied by the Karakurt ransomware group after at least four cyberattacks by the threat actors against the healthcare sector in the last three months.

Those observed attacks included an assisted living facility, a dental firm, a provider and a hospital.

An alert from the Department of Health and Human Services Cybersecurity Coordination Center (HC3) notes that while Karakurt emerged in late 2021, their impact is heightened by their likely ties to the Conti ransomware group, either as a working relationship or as a side business of Conti.

Federal agencies have long warned of the risk the Conti ransomware group poses to the healthcare sector, having successfully targeted more than 16 providers since early 2021. 

The Karakurt actors’ attack flow mirrors typical ransomware groups, claiming to steal data and threatening to auction it off on the dark web or release it to the public unless their demands are met. The ransoms range from $25,000 to $13,000,000 in Bitcoin with deadlines often set to expire within just one week of the initial contact by the cybercriminals.

What’s most troubling about Karakurt is their “extensive harassment campaigns against victims to shame them,” according to HC3.

This was recently evidenced by the Karakurt campaign against Methodist McKinney Hospital in early July. The actors threatened to release the data they allegedly stole from the hospital system, but Methodist McKinney instead informed patients of the ongoing attack and continued investigation about the possible data theft.

Karakurt gains access by purchasing stolen login credentials through cybercrime partnerships who may provide the group with access to already compromised victims, or by “buying access to already compromised victims via third-party intrusion broker networks.” Among its exploited vulnerabilities are outdated SonicWall VPNs, Log4j, phishing, and outdated Windows Servers.

The impact is also caused by Karakurt’s typical two-month dwell time, where the actors conduct scanning, reconnaissance, and data collection against the victims. The actors compress the files in order to exfiltrate large sums of data, “and, in many cases, entire network-connected shared drives in volumes exceeding 1 terabyte using open-source applications and FTP.

For healthcare, the access and exfiltration certainly includes patients’ protected health information like medical histories, health insurance details, dianoses, and treatments.

“Once access to a compromised system has been obtained, Karakurt actors deploy Cobalt Strike beacons to enumerate a network, install Mimikatz to pull plain-text credentials, use AnyDesk to obtain persistent remote control, and utilize additional situation-dependent tools to elevate privileges and move laterally within a network,” according to the alert.

After exfiltration, Karakurt delivers the ransom note in “readme.txt” files to employee email accounts of the victim organization. The messages include instructions on how to chat with the actors to negotiate a price to have the data deleted.

It’s during these conversations where “victims have reported extensive harassment campaigns,” where Karakurt engages with employees, business partners, and clients sending numerous emails and phone calls “warning the recipients to encourage the victims to negotiate … to prevent the dissemination of victim data.”

In response to the possible impact, HC3 recommends providers review operations security and leverage the recommendations outlined in the alert. Providers will also find a complete list of Karakurt tactics, known vulnerability exploits, and indicators of compromise.