The Karakurt Extortion Gang's Attack on Regional Family Medicine

The Karakurt extortion gang has attacked Regional Family Medicine. Regional Family Medicine is a healthcare provider headquartered in Mountain Home, Arkansas, USA. The Karakurt gang posted Regional Family Medicine to its data leak site on July 30 but provided no further information.

Karakurt's Operational Techniques

Karakurt actors have utilized diverse strategies, methods, and operational techniques, resulting in notable difficulties for defense and mitigation efforts. Notable observations indicate that Karakurt victims haven't disclosed instances of machine or file encryption. Instead, the actors associated with Karakurt have asserted the extraction of data and issued threats of either auctioning off or publicly releasing the obtained data, contingent upon receiving the stipulated ransom payment.

The ransom requests have been documented to span from $25,000 to $13,000,000 in Bitcoin, usually featuring payment deadlines scheduled within a week of initial communication with the targeted victim. Karakurt actors have typically supplied snapshots or duplicates of pilfered file catalogs as tangible evidence of data theft.

Interaction with Victims

In their interactions, they have engaged with victims' staff, business associates, and clients, employing emails and phone calls with an intimidating tone to coerce cooperation. These emails have enclosed purloined data, including details like social security numbers, financial accounts, confidential corporate emails, and sensitive business information tied to personnel or clients.

Following the ransom settlement, the Karakurt actors have typically offered some form of confirmation of file deletion and, on occasion, a succinct description outlining the initial breach method.

Karakurt's Online Presence

Until January 5, 2022, Karakurt maintained an online platform for leaks and auctions, accessible via https://karakurt[.]group. The domain and IP address hosting the website originally went offline in the spring of 2022. Presently, the website isn't accessible via the public internet, though indications suggest its presence within the depths of the deep and dark web.

As of May 2022, the platform contained multiple terabytes of purported victim data encompassing North America and Europe. Additionally, the site featured several "press releases" identifying non-compliant victims and guidelines for participation in the victim data "auctions."