The Karakurt ransomware group has carried out at least four attacks affecting the U.S. healthcare and public health sector since June, as noted by HC3. The attacks were observed at an assisted living facility, a dental firm, a provider, and a hospital.

Karakurt against Texas hospital 

Earlier in August, Texas-based Methodist McKinney hospital was attacked by Karakurt, claiming to have exfiltrated 360GB of files from their servers.
  • The hospital first discovered unusual activity on certain systems on July 5. Further investigation revealed that the attackers copied files from the network for over two months.
  • The hospital, however, decided not to pay the ransom demanded by the group.

Attack methodology

  • Karakurt gains access by purchasing stolen login credentials of already compromised victims to further deploy Cobalt Strike beacons.
  • Mimikatz is then installed to retrieve plain-text credentials and AnyDesk is used to obtain persistent remote control.
  • The threat actor then employs situation-specific tools to elevate privileges and move laterally within a network.
  • After exfiltration, Karakurt delivers the ransom note in readme.txt files, which includes instructions on how to negotiate a price to have the data deleted.

Likely ties to Conti

Karakurt’s impact is escalated by its likely links to the Conti ransomware group, either as a working relationship or as a side business of Conti, according to HC3.
  • The cybersecurity advisory released by leading government organizations in April noted that Karakurt is a data extortion arm of the Conti gang.
  • In April, researchers breached a Conti member’s account and found it was using an FTP client to connect to multiple servers for uploading and downloading stolen data.
  • One connection was to the IP address where the Karakurt extortion group hosted their site, where they published stolen data from non-paying victims.
  • Karakurt and Conti share the use of the same exfiltration tools, as well as the use of the same attacker hostname when remotely accessing victims' networks.

Closing thoughts

The healthcare sector remains a prime target for cybercriminals, and the number of attacks has only increased over time. HC3 has also provided recommendations for countering these tactics, assisting in making systems as secure as possible.
Cyware Publisher