The Department of Health and Human Services Cybersecurity Coordination Center (HC3) released a report on Wednesday, August 24 warning healthcare providers of targeted attacks against the Healthcare and Public Health Sector (HPH). A relatively new cybercrime group named Karakurt Team and Karakurt Lair are behind the attacks.
What We Know
Karakurt threat actors follow the typical ransomware lifecycle, claiming to steal data and threatening to auction it off or release it unless they receive payment, which has ranged from $25,000 to $13,000,000 in Bitcoin, with payment deadlines typically set to expire within a week of first contact with the victim.
What sets this threat actor apart from other ransomware groups, according to HC3, is their extensive harassment campaigns to shame their victims into paying the ransom. They have been known to engage with employees, business partners, and clients sending numerous emails and phone calls “warning the recipients to encourage the victims to negotiate … to prevent the dissemination of victim data,” according to the report.
They also tend to dwell for two months on the network, where the threat actors conduct scanning, reconnaissance, and data collection against the victims, before finally releasing ransomware on the network.
Per the report, HC3 has noted at least four attacks affecting the US Healthcare and Public Health Sector since June 2022. These attacks have affected an assisted living facility, a dental firm, a healthcare provider, and a hospital. In one of these attacks, 59,000 patients were affected by the breach.
HC3 recommends the Health and Public Health Sector be aware of their operations and apply appropriate cybersecurity principles and practices, which can be found in the report. They also have provided a complete list of Karakurt tactics, known vulnerability exploits, and indicators of compromise.
If you have any questions about this threat actor, their methods, or how to better protect yourself against this threat, please contact us!