A deep dive into the Petaluma Health Center data breach

We learned this week that the digital tranquility of our Sonoma County community was disrupted on in late April. Petaluma Health Center became a victim of a data breach. The orchestrators of this cybercrime were a group called Karakurt, a cybercrime group notorious for their strategic and relentless tactics. To fully grasp the implications of this incident, we must understand the modus operandi of these cyber marauders.

Karakurt navigates the digital realm with a unique blend of tactics. One of their key strategies involves exploiting a thriving underground market where stolen login credentials are bought and sold. In some instances, they even purchase access to systems that other cybercriminals have already compromised, or ally themselves with these criminals to gain the required access.

Once they find a vulnerable system, they make their move. They exploit a variety of vulnerabilities, from outdated security appliances like SonicWall SSL VPN and Fortinet FortiGate SSL VPN appliances to more direct tactics like spear-phishing. They've even been known to use stolen VPN or Remote Desktop Protocol (RDP) credentials to exploit outdated Microsoft Windows Server instances.

In the case of Petaluma Health Center, Karakurt reportedly paid for access to the already compromised system. Upon securing access, they deployed their arsenal of tools to explore the network, pilfer credentials, and gain remote control of devices. Their technique involves exfiltrating large volumes of data, often exceeding 1 terabyte, using open-source applications and FTP services.

The assault doesn't end with data theft. Karakurt then enters the phase of extortion. Armed with the stolen data, they issue a ransom note, threatening to publicly release or auction the sensitive data. Their pressure campaign is relentless, harassing not only the victims' employees but also business partners and clients with emails and phone calls. The negotiation for ransom, typically demanded in Bitcoin, happens via an encrypted chat application.

However, paying the ransom doesn't guarantee safety. There have been instances where Karakurt failed to maintain confidentiality, despite receiving the ransom. In certain cases, they've also exaggerated the volume or value of stolen data.

The breach at Petaluma Health Center underscores the urgent need for robust cybersecurity measures across all sectors in Sonoma County. It's vital that we regularly update system software, enforce strong password policies, and foster a culture of cybersecurity awareness. Cyber threats are on the rise, and we must stand vigilant, proactive, and united in our efforts to protect our community.

Our reporter spoke with a senior officer of the hospital who specifically identified Karakurt as the attacker.

Additional attribution

https://www.databreaches.net/looks-like-karakurt-is-back/ (Specific Petaulma reference)

https://healthitsecurity.com/news/karakurt-ransomware-group-targets-methodist-mckinney-hospital-in-cyberattack . (Specific Petaluma reference)

https://www.jdsupra.com/legalnews/petaluma-health-center-files-official-5515492/ (Background)(Background) (Notice of data breach)

https://www.redpacketsecurity.com/karakurt-ransomware-victim-petaluma-health-center/ (Specifically links Karakurt and PHS)

https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-152a (Background)

https://thehackernews.com/2021/12/karakurt-new-emerging-data-theft-and.html?m=1 (Background)

https://www.techrepublic.com/article/dealing-with-karakurt-team-data-theft-extortion/ (Background)

https://www.pressdemocrat.com/article/news/sonoma-valley-hospital-hit-by-cybercriminals-with-ransomware-attack/ (Background)

https://www.hhs.gov/sites/default/files/karakurt-threat-profile-analyst-note.pdf

(Background)

(This is a bot that checks ransomware websites and disseminates the info for several groups who post on TOR)