Healthcare providers are being warned of rising cyber threats from the Karakurt ransomware group. The alert comes months after CISA and FBI had released technical details about how the group operates, along with indicators of compromise, and sample ransom notes. 

What does the new alert say?

  • According to the Department of Health and Human Service Cybersecurity Coordination Center (HC3), the group has been actively targeting the US Healthcare and Public Health Sector since June 2022.
  • At least four attacks that affected an assisted living facility, a dental firm, a healthcare provider, and a hospital have been observed by HC3. 
  • Prior to the attacks, the attackers had conducted scanning, reconnaissance, and collection on its targets for an estimated two-month time span.
  • Following the attacks, the threat actors gained access to files containing patient names, addresses, Social Security numbers, dates of birth, medical history information, medical diagnosis information, treatment information, medical record numbers, and health insurance information. 
  • Later, they threatened the victim organization to release the information unless a ransom was paid.

Common vulnerabilities exploited

The Karakurt group exploits some of the well-known vulnerabilities to gain initial access. These include the vulnerable Remote Desktop Protocol (RDP), the Log4j vulnerability, and the legacy VPN appliances from SonicWall, and Fortinet. In some instances, unserviceable Microsoft Windows Server instances were also abused to launch attacks.

Karakurt updates its extortion scheme

  • In July, Karakurt updated its extortion tactic by launching a searchable database where anyone can find victims and specific details. 
  • This new tactic overlapped with the one followed by the BlackCat ransomware group.
  • This is another step toward a multi-tiered extortion scheme to put more pressure on victims to pay the ransom.
  • Apart from this, the HC3 warned the employees, business partners, and clients are harassed by Karakurt over emails and phone calls so that the victim organization initiates a negotiation for ransom.


In response to the possible attacks, the HC3 recommend providers review their security operations and leverage the recommendations in the alert. Providers will also find a complete list of Karakurt tactics, known vulnerability exploits, and indicators of compromise.
Cyware Publisher