Fraud Management & Cybercrime
Extortion, Ransomware Groups Targeting and Harassing Entities Globally
As the latest wave of ransomware attacks, extortion attempts and related fallout continues hitting hospitals globally, U.S. federal authorities have issued a new warning to the healthcare sector about Karakurt, the group claiming to be behind one of the most recent incidents.
See Also: Data Sharing Espionage: A Fraud Discussion
The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center in an alert Wednesday warned that since June at least four healthcare and public health sector entities attacked by Karakurt, “a relatively new cybercrime group.”
Those recent attack victims included an assisted living facility, a dental firm, a healthcare provider and a hospital, the alert says.
While HHS HC3 did not identify any of those entities by name, Karakurt in the last two weeks ratcheted up a public harassment campaign against one of its apparent victims, Methodist McKinney Hospital, threatening to publish more than 367 gigabytes of data allegedly stolen from the Texas facility.
The healthcare agency says Karakurt likely has ties to the Conti ransomware group, “either as a business relationship or as a side business.”
Conti in May supposedly pulled the plug on its operations in part due to fallout from the group’s public support of Russia’s invasion of Ukraine. But Conti’s apparent “retirement” was coupled with efforts to intensify related brands, including Black Basta, Black Byte and Karakurt, analysts say (see: After Conti Ransomware Brand Retires, Spinoffs Carry On).
“Karakurt victims have reported extensive harassment campaigns by Karakurt actors in which employees, business partners and clients receive numerous emails and phone calls warning the recipients to encourage the victims to negotiate with the actors to prevent the dissemination of victim data,” HHS HC3 says in its alert yesterday.
“These communications often included samples of stolen data – primarily personally identifiable information.”
While exfiltration-only attacks such as those by groups like Karakurt may be less disruptive than encryption-only based ransomware attacks, “that doesn’t help the individuals whose protected health information is exposed,” says threat analyst Brett Callow of security firm Emsisoft.
“That said, it makes no sense for providers to give in to the extortion attempt in these cases. They’ve had a data breach, and paying [a ransom] will not change that.”
Other Warnings, Other Attacks
The federal Karakurt warning follows several separate HHS HC3 alerts in recent months about other extortion and ransomware groups, including Hive and Lockbit 2.0, both of which this week continued to assault healthcare sector entities.
Similar to Karakurt’s recent darkweb threats to Methodist McKinney Hospital about publishing allegedly stolen data, Hive and Lockbit this week also reportedly began publishing data they claimed to have exfiltrated in recent attacks on medical entities.
Hive yesterday reportedly began to release data allegedly stolen in a June attack against Baton Rouge General Medical Center in Louisiana.
Baton Rouge General Medical Center did not immediately respond to Information Security Media Group’s request for comment.
Meanwhile Lockbit this week reportedly began releasing data it claims to have stolen in a recent attack on a Florida-based addiction treatment and mental health provider.
In addition, media site The Record reports that French police sources have identified LockBit as being behind a ransomware attack last weekend on Center Hospital Sud Francilien in Corbeil-Essonnes, France, about an hour southeast of Paris (see: Hospitals in the U.S., France Dealing With Cyber Extortionists).
The 1,000-bed hospital is still dealing with the effect of the attack, issuing a statement on Tuesday advising patients to avoid trips to the facility’s emergency room as clinicians deal with IT disruptions caused by the incident.
“Our healthcare professionals are currently working without the help of IT, which generates much longer-than-average waiting times,” the hospital says.
Earlier this week, the French hospital issued a statement informing the public that it was triggering its contingency “white plan” due to an attack on the institution’s computer network. The incident affected “all the hospital’s business software, storage systems – including medical imaging – and the information system relating to patient admissions,” the hospital says.
All of these and other recent attacks on the healthcare sector in the United States and other countries should prompt organizations to heighten their cyber awareness and defenses, experts urge.
“The double extortion threat and the emergence of these leak-and-extort groups – those that don’t use ransomware – really underscore the need to protect data and segment networks,” says Erick Galinkin, a principal artificial intelligence researcher at security firm Rapid7.
“Backups and patching are still incredibly important, but the lateral movement and the data exfiltration is a distinctly important vector for threat actors,” he says.
Additionally, while paid subscription services can provide threat intelligence on these attackers, “a substantial amount of information is out in the open – a good Twitter follow list or news reader can serve up a lot of information for free,” he says.
“Fortunately, many mitigations – data segmentation, strong access controls, separation of privileges – are effective against a wide variety of these adversaries, whether folks are aware of the named threat actors or not,” he adds.
Meanwhile, with the growth of “ransomware-as-a-service,” it is unlikely attacks by these groups will ease anytime soon, says retired supervisory FBI agent Jason G. Weiss, an attorney at law firm Faegre Drinker Biddle & Reath LLP.
“It is still too easy and too profitable for these groups to cease and desist,” he says. “The hard part is to try and figure out how cyber threat actors will modify their behavior to circumvent the defenses and protections being put in place now. Change is constant in this environment.”