Hackers threaten to auction off DNA patient records from Oklahoma hospital

The McAlester Regional Health Center in Oklahoma is being targeted by a known ransom group claiming to have stolen over 126GB of data from the facility, including a swath of DNA patient records to be auctioned off to the highest bidder.

The ransomware hacker gang, known as Karakurt, posted its plans to publish samples and then auction off 117GB of the hospital's sensitive information on August 1st.

“Those are companies that refused negotiations and are going to be auctioned soon," the hackers wrote on their dark leak site Friday under a section titled 'Pre-Release.'

Karakurt is claiming part of that cache involves at least 40GB of genetic DNA patient records stolen by the group.

Stolen genetic material can be used for such nefarious purposes as blackmail and/or profiting through fake paternity results, revealing predispositions to disease and existing medical conditions affecting employment prospects, insurance premiums, and even social stigma, according to a DNA theft report by Nature Reviews Genetics.

“Another medical center doesn't care about their patients' data,” Karakurt said about the hospital.

“126GB of this organization data includes medical information, personal documents, financial and accounting data and lots of HR documentation,” the group stated.

“40GB of DNA tests of patients is a bonus! Stay tuned,” it said.

McAlester Regional Health Center Karakurt
Karakurt dark leak site

Located in the City of McAlester, southeast of Oklahoma City, the regional hospital is listed as a 24/7 operating Level III Trauma Center, with 21 medical specialties and a total patient revenue of nearly $250 million dollars.

So far, McAlester hospital officials have not made any public statement about the supposed breach.

The Karakurt gang is also threatening to publish, on August 1st, a much smaller amount of sensitive data allegedly stolen from a second healthcare entity – the Regional Family Medicine primary care group of Arkansas.

In that breach, the group is claiming to have +5GB SQL data on the medical staff, including social security numbers, medical reports, bank statements, invoices, and other confidential documents.

Karakurt threat group

The Karakurt Data Extortion Group was first profiled by the US Cybersecurity and Infrastructure Security Agency (CISA) in an advisory released in June 2022.

The threat actors are believed to be an offshoot of the infamous Russian-affiliated Conti group, known for their double extortion tactics and aggressive nature.

Also known as the Karakurt team or Karakurt Lair, CISA said the group “employs a variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation.”

Karakurt dark leak
Karakurt dark leak site

The group does not appear to target any specific sectors or industries and typically gets access to victims by buying stolen login credentials or already compromised victims through third-party broker networks, according to the advisory.

Karakurt often claims to have stolen data from its victims without actually encrypting compromised machines or files, as other ransom gangs do.

Moreover, the group is known for relentlessly harassing its victims with both emails and phone calls – even harassing a victims’ employees, business partners, and clients.

Ransom demands have ranged from $25K to $13M in Bitcoin, with payment deadlines typically set to expire within a week of first contact with the victim, CISA said.

On its dark leak site, Karakurt calls itself “Sofisticated. Evasive. Deep. Persistent.”

Interestingly, the name Karakurt translates to "black wolf” in Turkish and also happens to be the name of the Russian assassin character from the popular US TV show The Blacklist, which ran for ten seasons on NBC from 2013 to 2023.