Karakurt ransomware group targeting healthcare providers, HHS warns

The Karakurt ransomware group has attacked at least four health sector organizations in the last three months, a Department of Health and Human Services alert warned. (Photo by Alex Wong/Getty Images)

Provider organizations are being warned to be on the alert for cyberattacks levied by the Karakurt ransomware group after at least four cyberattacks by the threat actors against the healthcare sector in the last three months.

Those observed attacks included an assisted living facility, a dental firm, a provider and a hospital.

An alert from the Department of Health and Human Services Cybersecurity Coordination Center (HC3) notes that while Karakurt emerged in late 2021, their impact is heightened by their likely ties to the Conti ransomware group, either as a working relationship or as a side business of Conti.

Federal agencies have long warned of the risk the Conti ransomware group poses to the healthcare sector, having successfully targeted more than 16 providers since early 2021. 

The Karakurt actors’ attack flow mirrors typical ransomware groups, claiming to steal data and threatening to auction it off on the dark web or release it to the public unless their demands are met. The ransoms range from $25,000 to $13,000,000 in Bitcoin with deadlines often set to expire within just one week of the initial contact by the cybercriminals.

What’s most troubling about Karakurt is their “extensive harassment campaigns against victims to shame them,” according to HC3.

This was recently evidenced by the Karakurt campaign against Methodist McKinney Hospital in early July. The actors threatened to release the data they allegedly stole from the hospital system, but Methodist McKinney instead informed patients of the ongoing attack and continued investigation about the possible data theft.

Karakurt gains access by purchasing stolen login credentials through cybercrime partnerships who may provide the group with access to already compromised victims, or by “buying access to already compromised victims via third-party intrusion broker networks.” Among its exploited vulnerabilities are outdated SonicWall VPNs, Log4j, phishing, and outdated Windows Servers.

The impact is also caused by…