Karakurt Gang Hackers Attack Understaffed Medical Practices

Sometimes multiple negative factors combine to create major issues. We’ve talked about the medical staffing shortage before, and we’ve covered the constant risk of hackers in healthcare. These two issues have fused, as a Russian hacker group called the Karakurt Gang targets healthcare organizations during this time of weakened security.

As the rate of cyberattacks against healthcare organizations surges, it’s important to stay alert and informed. In this article we’ll cover the known details of the Karakurt Gang, why now is the perfect time for them to strike, and how your organization can better protect itself from attack.

Who is Behind the Attacks?

Shrouded in secrecy, underground hacking groups are notoriously hard to catch due to the anonymity achievable with exceptional computer skills. As it turns out, this rabbit hole runs deep.

The Karakurt Gang isn’t the only criminal organization that attacks medical organizations; they have powerful connections.

What is the Karakurt Gang?

The Karakurt Gang is a group of hackers that first surfaced in late 2021. The gang targets companies and healthcare organizations with data exfiltration attacks to steal and ransom sensitive information. By targeting threat vectors weakened by the staffing shortage, Karakurt has attacked 4 healthcare organizations in the last 3 months. 

Simply put, data exfiltration is when data is copied and transmitted without authorization. This type of attack requires a path of entry, which fits into two categories. 

First is hacker-side malicious strikes like brute force attacks against weak passwords. The second is user error such as downloading keylogging scripts or other malware.

The Karakurt Gang uses phishing attacks to gain VPN credentials, which they then use to breach the system. A phishing attack is when a cybercriminal tricks an individual at a target organization to provide server credentials. Karakurt members accomplish this by using phone, email, or even mirror versions of existing websites.

A VPN, or virtual private network, encrypts the user’s actions, masks their location, and changes their IP address. This tool enhances security and privacy for internet users, but also helps hackers trick database servers and steal information undetected.

Infinitum IT, a data security company based in Turkey, documented its white hat efforts against the Karakurt Gang this year. From this effort, they discovered not only the attack methods of the Karakurt Gang but found direct connections to Conti.

What is Conti?

Conti is the largest ransomware group in the world, and its prolific ransomware has pillaged sensitive information from companies globally. In 2021, the group reportedly made approximately $180 million from stolen data. 

Believed by experts to be the successor of the infamous Ryuk ransomware, Conti impacted over 240 healthcare organizations in 2021. While organizations like Conti make millions by ransoming data, healthcare organizations lose even more.

In 2020 alone, ransomware attacks from groups like Conti cost healthcare organizations in the United States over $20.8 billion. The difference between hacker profits and medical organization costs is significant, with the latter accounting for the cost of lost revenue.

When Conti breaches a system, they run a double-extortion technique. As Conti encrypts victim data, it also copies it for public release in the case of non-payment. Conti also leaves back doors open so they can access the system despite companies’ security improvements. 

One of the telling signs that Conti and Karakurt are connected came from a report from cybersecurity company Arctic Wolf. In this report, Arctic Wolf revealed that a client extorted by Conti was later breached by Karakurt via a Cobalt Strike backdoor

Despite being the most successful known ransomware group, even Conti isn’t at the top of the ladder. 

What is Wizard Spider?

Conti is just one of the several malware groups operated by Wizard Spider, a billion dollar cybercrime syndicate. The others include the ransomware Ryuk (or Sidoh), the backdoor malware BazarLoader, and the banking trojan Trickbot. One of the wealthiest gangs in the world, Wizard Spider first surfaced in 2017. 

Not only this, but Wizard Spider represents Lunar Spider, Grim Spider, and likely more cybercrime subsets. Wizard Spider even hires people to intimidate and extort their victims.

If victims don’t pay the ransom to protect their stolen data, they end up on Name and Shame websites. These websites publish the names and information of non-compliant victims with threats to release the stolen information publicly.

International hackers have used each of these tools to attack American medical organizations for profit. In addition to leading these cybercrime groups, Wizard Spider is also actively involved in the ransom cartel.

The ransom cartel is a group of connected cybercrime groups that pillage information for profit. Their net runs wide, but even the ransom cartel is just one of many cybercrime organizations worldwide.

A Dangerous World During a Time of Weakness

While the Karakurt Gang isn’t at the top of the chain, its impact on healthcare organizations can be severe. This is true of any cybercriminal willing to risk the lives of critical patients to extort money. 

The 2022 Crowdstrike Threat Report found an 82% increase in ransomware-based data leaks, from 1,474 in 2020 to 2,686 in 2021. 

From January to July 2022, medical organizations have reported 345 record breaches affecting 500 or more individuals to the OCR. In total, these breaches have included the protected health information (including medical records) of 20,191,921 patients.

The HIPAA Breach Notification Rule requires immediate notification following PHI breaches of 500+ patients and notification by the end of the year for smaller breaches. As such, the true number of medical cyber attack breaches in 2022 will be clear once that information is available. 

A research report by Ponemon Institute found that 67% of health delivery organizations have been attacked with ransomware. Of these, 33% have been attacked multiple times. 

Ponemon found that about 70% of organizations reported longer stays and delayed treatment, while almost 25% reported higher mortality rates.

In addition to killing patients, an IBM report driven by Ponemon data found that the average cost of a healthcare data breach in 2022 is $10.4 million

The impacts are so severe because these cybercriminals don’t only steal and spread sensitive data, but they lock access. This means healthcare providers can’t access the patient information required for crucial, time-sensitive treatment.

Unfortunately, this problem is likely to continue growing because these data extortion organizations view healthcare organizations as easy targets

You’re the Perfect Target for a Cybercriminal

Medical organizations are so vulnerable to data theft because they rely so heavily on digital records. Medium-sized organizations are especially vulnerable because they’ve become the primary target for hackers

This is doubly true during the current medical worker shortage, which has cost at least 1.5 million healthcare jobs. As medical employees burn out, their ability to catch breaches diminishes.

With a wide variety of major cybercriminal groups that target healthcare organizations, prevention is essential. 

To help protect your organization from the Karakurt Gang and other cybercrime organizations, make sure you’re following these InfinitumIT guidelines. Most importantly, make sure you keep a regularly-updated offline backup to ensure access to records after an attack.

If you pay a cyber ransom, you must report it per the Cyber Incident Reporting for Critical Infrastructure Act requirements. 

It’s challenging to keep up with developments in healthcare cyber threats, and the burdens of staff turnover can force your organization to keep teaching the basics. With limited available time and mandatory responsibilities with legally-mandated deadlines, even this could prove difficult.

ChartRequest is here to help healthcare workers, organizations, and patients thrive by streamlining or eliminating the release of information. We handle compliance with HIPAA, the HITECH Act, the Cures Act, varying pricing statutes across the United States, and all other relevant regulations so your team can prioritize security and the patient experience.

Create your account to request and release records online, or click the links below to learn more about the benefits of digital record exchange with ChartRequest.

Learn more about successful medical staffing and retention practices.

Avoid Right of Access Initiative penalties.

Fax isn’t the best option.