6 min read
Karakurt ransomware group strikes Methodist McKinney Hospital
Kapua Iao September 19, 2022
Another ransomware group recently hit one of our hospitals. This time, Methodist McKinney Hospital experienced a data breach strike by the Karakurt ransomware group. Methodist McKinney provides patient-focused inpatient and outpatient services in McKinney, Texas. The attack affected Methodist McKinney, Methodist Allen Surgical Center, and Methodist Craig Ranch Surgical Center.
When hackers wage war on healthcare, HIPAA compliance and email security must be paramount
The healthcare industry continues to experience a cyber crisis as threat actors target healthcare covered entities and their business associates. IBM’s 2022 Cost of a Data Breach Report reveals that healthcare data breach costs increased 2.6% to $4.35 million.
Hackers using the dark web to launder and sell extorted data
Cyberattacks by ransomware groups, such as Karakurt, top the list of critical issues. These threat groups rely on extortion and the dark web to convince organizations to pay. Especially when dealing with sensitive data like protected health information (PHI).
Healthcare organizations shouldn’t wait until it is too late to protect themselves. They must employ robust cybersecurity features such as HIPAA compliant email.
SEE ALSO: What is a threat actor and why is it important to define?
How did Methodist McKinney get hit with ransomware?
In a notice on July 29 (updated August 3), Methodist McKinney explained that it first detected unusual activity on July 5. The hospital took (unspecified) steps to “ensure the integrity of the systems” and began an investigation. The unauthorized access occurred between May 20 and July 7 when hackers copied “certain files.” The notice further mentioned that the threat actors accessed systems containing PHI.
Information retrieved varied from individual to individual but included:
Name | Address | Social Security number |
Date of birth | Medical history | Medical diagnosis |
Treatment information | Medical record number | Health insurance information |
The hospital promptly took steps to secure its systems and is implementing further safeguards and reviewing policies and procedures. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights’ Breach Portal lists the hospitals separately.
SEE ALSO: What is HHS’ Wall of Shame?
According to HHS, Methodist McKinney experienced a hacking/IT incident affecting 110,244 individuals. Methodist Craig Ranch Surgical lists 15,157 individuals while Methodist Allen Surgical Center is missing. Nowhere in its notice does Methodist McKinney mention the threat actors, but the Karakurt group claimed responsibility.
HHS is warning healthcare about ransomeware and Karakurt
In August, HHS’ Health Sector Cybersecurity Coordination Center (HC3) alerted the healthcare sector about the Karakurt ransomware group. The group, also known as the Karakurt Team and Karakurt Lair, first emerged in late 2021.
RELATED: Ransomware is more common in healthcare than you think
Is Karakurt ransomware group attacking healthcare?
So far, the group asserts responsibility for at least four U.S. healthcare cyberattacks and 80 in total. This includes the summer attack on a Vermont health center and Methodist McKinney. Usually, Karakurt scans and collects data for months before stealing sensitive information (e.g., PHI). The group is notorious for exploiting known vulnerabilities with:
- VPN appliances
- Log4Shell
- Outdated Microsoft Windows servers
How is Karakurt ransomware gaining access to healthcare organizations?
Additionally, the threat actors appear to gain access through purchased stolen login credentials or already compromised victims. The group may also use phishing, spear phishing, and malicious macros within email attachments. At this point, we do not know how Karakurt gained access to Methodist McKinney’s systems.
RELATED: Compromised employee accounts are an expensive problem according to IBM report
The group likely has ties to Conti ransomware, a known ransomware-as-a-service (RaaS) based in Russia. Karakurt doesn’t bother to encrypt data, focusing instead on extortion and threats to get a ransom payment.
How do ransomware groups get data and extort healthcare for ransom payments?
Cyber threat actors know that the right amount of pressure can make some organizations pay. Such pressure can come in the form of ransomware/data encryption, extortion, and/or general harassment. Ransomware is malicious software that holds data hostage (i.e., encrypted) until payment is received.
SEE ALSO: This is how fast a ransomware attack encrypts all your files
The 2022 Sophos State of Ransomware report asserts that only 65% of those they surveyed were hit with data encryption. Over the past several years, groups such as REvil, Netwalker, and Conti, instead focus on double (or triple) extortion. These hackers encrypt data and then pressure organizations to pay using threats of release.
How is Karakurt extorting healthcare?
Now, we have groups like Karakurt that skip encryption and go straight to extortion and harassment. Rather than encrypt, Karakurt compresses then exfiltrates data. Then, a ransom note is sent, and the threats begin. Currently, the group is conducting extensive harassment against Methodist McKinney’s employees, business partners, and clients. The idea is to get these victims to pressure the attacked organization to pay. Unfortunately, it does not look like such coercion techniques are going to stop any time soon.
Why will healthcare extortion get worse?
Ransomware and ransomware groups are not going anywhere, and cybercriminals will continuously target the healthcare industry with its rich PHI. According to HHS, cyberattacks in the first five months of 2022 nearly doubled from the same period last year.
Given the tired, stressed staff in most healthcare organizations, cyberattackers know that the industry is more vulnerable than others. And Karakurt is not the only ransomware group to employ the dark web and extortion.
SEE ALSO: Cyber crime services on the dark web marketplaces easier to obtain, says Trend Micro
The underground economy is booming
In fact, experts state that the underground economy is currently booming. Recent analysis on the dark web between November 2021 and March 2022 uncovered 475 web pages filled with ransomware strains, source codes, and RaaS offerings. Before January 2022, Karakurt operated a leak-and-auction website that has since shut down. But there are signs that the page now operates on the deep web and the dark web. And given their past activities, there is no indication that Karakurt will maintain data confidentiality after a ransom payment.
According to the ransomware group, the threat actors stole Methodist McKinney’s invoices, contracts, prescription scans, patient cards, and financial documents. And they will release it.
Three reasons why healthcare should not pay if ransomeware groups attempt extortion
Methodist McKinney decided against paying the ransom. It could mean exposed PHI, but experts all agree that no organization should pay a ransom. Paying is not smart business.
SEE ALSO: Why paying ransomware is typically a bad idea and what you can do instead
- Doing so may encourage the hacker(s) to continue cyberattacks, against their victims or new organizations. In fact, some threat actors are known to leave malware behind for future attacks. Moreover, other cybercriminals may decide to attack a victim because of their willingness to pay.
- Paying a ransom does not guarantee a full recovery of data. The 2022 Sophos report confirmed that of those that paid, only 4% got all their data back. Victims may be given a fake decryption key or the encryption itself may corrupt data.
- Finally, as we have seen with Karakurt, cybercriminals are now selling and auctioning login credentials and PHI to others. The chance of an organization’s information being sold on the dark web is high.
These reasons, along with the growth of RaaS services, show that paying a ransom doesn’t guarantee protection. The only thing that defends and safeguards is strong cybersecurity.
We sound like a broken record but here it is again: protect yourself!
According to experts, recovery is a lengthy, complex process. It is important to use a strong, layered cybersecurity program to avoid losses. One that includes perimeter defenses, such as firewalls, and offensive defenses such as:
- Employee training
- Access controls
- DLP (data loss prevention)
- Data encryption (in transit and at rest)
- Monitoring/response procedures
- Zero trust security
The Cybersecurity and Infrastructure Security Agency (CISA) alert for Karakurt takes this further by adding specific mitigation techniques. For example, CISA mentions the need for a prepared recovery plan. Such a plan would include information on how to retain multiple copies of sensitive data stored separately, securely, and segmented. If a group steals data (whether encrypted or not), having a backup ensures that data is not permanently gone.
How can healthcare protect itself against ransomeware attacks?
CISA also advocates the need to follow the NIST (National Institute of Standards and Technology) framework on password policies. The agency further adds the importance of multifactor authentication and account segregation using the principle of least privilege. For instance, only those with administrator credentials should install software. Finally, CISA recommends having updated and patched systems, software, and firmware and disabled unused ports. And of course, email security, which means for healthcare organizations, HIPAA compliant email.
HIPAA compliance and email security are critical
In its Karakurt alert, CISA also mentioned email security features such as email banners and disabled hyperlinks. But such defenses are only on the surface. Rather, healthcare organizations must utilize strong email security programs such as Paubox Email Suite. Every healthcare organization needs to implement HIPAA compliant email security.
Built to seamlessly integrate with current email platforms, Paubox Email Suite enables HIPAA compliant email by default and automatically encrypts every outgoing email. Messages go straight to patients’ inboxes, with no unnecessary passwords, logins, or portals.
RELATED: Why email is better than patient portals
But even better are our inbox protections. Our HIPAA compliant, HITRUST CSF certified solution impedes such techniques as spoofing with ExecProtect and keeps malware and phishing emails at bay with Zero Trust Email. PHI stays contained, and email, known as the worst threat vector, remains secure. Healthcare organizations must be vigilant and take the time to implement and update their cybersecurity before a data breach.
Ransomware groups are banking on organizations not spending energy and money on a strong cybersecurity program. But extortion and threats don’t exist if healthcare organizations utilize smart cybersecurity measures like HIPAA compliant email.
HITRUST CSF certified 4.9/5.0 on the G2 Grid Paubox secures 70 million HIPAA compliant emails every month.
Subscribe to Paubox Weekly
Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.