Karakurt Endangers Healthcare Sector: HHS

Karakurt against Texas hospital 

• The hospital first discovered unusual activity on certain systems on July 5. Further investigation revealed that the attackers copied files from the network for over two months.
• The hospital, however, decided not to pay the ransom demanded by the group.

Attack methodology

• Karakurt gains access by purchasing stolen login credentials of already compromised victims to further deploy Cobalt Strike beacons.
• Mimikatz is then installed to retrieve plain-text credentials and AnyDesk is used to obtain persistent remote control.
• The threat actor then employs situation-specific tools to elevate privileges and move laterally within a network.
• After exfiltration, Karakurt delivers the ransom note in readme.txt files, which includes instructions on how to negotiate a price to have the data deleted.

Likely ties to Conti

• The cybersecurity advisory released by leading government organizations in April noted that Karakurt is a data extortion arm of the Conti gang.
• In April, researchers breached a Conti member’s account and found it was using an FTP client to connect to multiple servers for uploading and downloading stolen data.
• One connection was to the IP address where the Karakurt extortion group hosted their site, where they published stolen data from non-paying victims.
• Karakurt and Conti share the use of the same exfiltration tools, as well as the use of the same attacker hostname when remotely accessing victims' networks.

Closing thoughts