The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has issued a warning to the Healthcare and Public Health Sector (HPH) about a relatively new ransom threat group called Karakurt, which is known to have conducted hacking and extortion attacks on the HPH sector. These attacks are similar to attacks conducted by ransomware gangs, but the group doesn’t bother encrypting data, just steals data and issues a demand to prevent its release. The group is thought to be either a breakaway group from the Conti ransomware gang or has ties to the prolific ransomware group.
Karakurt, aka Karakurt Team/Karakurt Lair, conducted its first attacks in late 2021 and is known to have conducted attacks on at least four organizations in the HPH sector: A hospital, healthcare provider, assisted living facility, and dental firm. HC3 did not disclose the names of the healthcare organizations that have been targeted so far, but one is Methodist McKinney Hospital in Texas. That attack was detected by the hospital in June, which confirmed that files containing sensitive patient information had been exfiltrated in the attack. Karakurt is pressuring the hospital into paying the ransom by threatening to publish 367 GB of stolen data.
That attack is in line with the modus operandi of the group, which gains access to networks, searches for valuable data, exfiltrates the data, and then issues a ransom demand along with threats to publish the data if the ransom is not paid. Those tactics are now common with ransomware gangs, but Karakurt victims have reported extensive harassment following the attacks. In addition to putting pressure on the victim to pay, the group also harasses business partners, employees, and clients via email and phone calls to get them to also pile on the pressure on the victim to pay up to prevent the release of their data to the public. Samples of the stolen data are often sent as “proof of life” to confirm data theft has occurred. The ransom demands issued by the group can be considerable. Victims have reported being issued demands of between $25,000 to $13,000,000 in Bitcoin.
Once access to victims’ networks has been gained, the Karakurt threat actors deploy Cobalt Strike beacons to enumerate the network, use Mimikatz to obtain credentials, and persistent remote control is achieved using AnyDesk software. Situation-dependent tools are used for privilege escalation and lateral movement. The threat actors are known to take their time scanning and conducting reconnaissance, with a dwell time of up to two months. When data has been identified, 7zip is used to compress files, which are exfiltrated to cloud storage services such as rclone and Mega.nz using open source applications and File Transfer Protocol (FTP) services such as Filezilla. In some of the attacks, huge volumes of data have been stolen, including entire network-connected shared drives in volumes exceeding 1 TB.
Initial access to victims’ networks is primarily gained by purchasing stolen credentials from partners in the cybercrime community and buying access to compromised networks from initial access brokers. Vulnerabilities are also known to have been exploited, phishing has been used, and Remote Desktop Protocol exploited.
Indicators of Compromise and mitigations have been shared in the HC3 alert.
The post HC3 Sounds Alarm Over Data Theft and Extortion Attacks by Karakurt Threat Actors appeared first on HIPAA Journal.