OXFORD, U.K.  — février 28, 2022 —

Sophos, a global leader in next-generation cybersecurity, today released findings of a dual ransomware attack where extortion notes left by Karma ransomware operators were encrypted 24 hours later by Conti, another ransomware gang that was in the target’s network at the same time. Sophos details the dual attacks in the article, “Conti and Karma Actors Attack Healthcare Provider at Same Time Through ProxyShell Exploits,” explaining how both operators gained access to the network through an unpatched Microsoft Exchange Server, but then used different tactics to implement their attacks.

“To be hit by a dual ransomware attack is a nightmare scenario for any organization. Across the estimated timeline there was a period of around four days when the Conti and Karma attackers were simultaneously active in the target’s network, moving around each other, downloading and running scripts, installing Cobalt Strike beacons, collecting and exfiltrating data, and more,” said Sean Gallagher, senior threat researcher, Sophos. “Karma deployed the final stage of its attack first, dropping an extortion notice on computers demanding a bitcoin payment in exchange for not publishing stolen data. Then Conti struck, encrypting the target’s data in a more traditional ransomware attack. In a strange twist, the Conti ransomware encrypted Karma’s extortion notes.

“We have seen several cases recently where ransomware affiliates, including affiliates of Conti, used ProxyShell exploits to penetrate targets’ networks. We have also seen examples of multiple actors exploiting the same vulnerability to gain access to a victim. However, very few of those cases involved two ransomware groups simultaneously attacking a target and it shows, literally, how crowded and competitive the ransomware landscape has become.”

The Dual Attack

Sophos believes that the first incident started on Aug. 10, 2021, when attackers, possibly Initial Access Brokers, used a ProxyShell exploit to gain access to the network and establish a foothold on the compromised server. The Sophos investigation showed that almost four months passed before Karma appeared on Nov. 30, 2021, and exfiltrated more than 52 gigabytes of data to the cloud.

On Dec. 3, 2021, three things happened:

  • The Karma attackers dropped an extortion note on 20 computers, demanding a ransom and explaining that they did not encrypt the data because the target was a healthcare provider
  • Conti was quietly operating in the background also exfiltrating data
  • The target started onboarding Sophos’ incident response team to help with Karma

While Sophos was onboarding, Conti deployed its ransomware on Dec. 4, 2021. Sophos subsequently tracked the start of the Conti attack to another ProxyShell exploit leveraged on Nov. 25, 2021.

karma-extortion-attack-flow

 

conti-attack-probable-flow

 

“Whether the initial access broker sold access to two different ransomware affiliates, or whether the vulnerable Exchange server was just an unlucky target for multiple ransomware operators, the fact that a dual attack was possible is a powerful reminder to patch widely known, internet-facing vulnerabilities at the earliest opportunity,” said Gallagher. “Defense-in-depth is vital for identifying and blocking attackers at any stage of the attack chain, while proactive, human-led threat hunting should investigate all potentially suspicious behavior, such as unexpected remote access service logins or the use of legitimate tools outside the normal pattern, as these could be early warning signs of an imminent ransomware attack.”

Sophos endpoint products, such as Intercept X, protect users by detecting the actions and behaviors of ransomware and other attacks, such as those described in this Sophos research. 

For further information read the article, “Conti and Karma Actors Attack Healthcare Provider at Same Time Through ProxyShell Exploits.”

À propos de Sophos

Sophos est un leader mondial de la cybersécurité qui protège 600000organisations à travers le monde grâce à une plateforme optimisée par l’IA et à des services fournis par des experts. Sophos accompagne les entreprises, quel que soit leur niveau de maturité en matière de cybersécurité, et évolue avec elles pour déjouer les cyberattaques. Ses solutions offrent une combinaison optimale entre apprentissage automatique, automatisation et renseignements sur les menaces en temps réel, à laquelle s’ajoute l’expertise humaine de l’équipe Sophos X-Ops, qui travaille en première ligne pour assurer la surveillance, la détection et la réponse aux menaces 24h/24 et 7j/7.
Sophos propose des services managés de détection et de réponse (MDR) de pointe, ainsi qu’un portefeuille complet de technologies de cybersécurité, parmi lesquelles des solutions de sécurité Endpoint, réseau, email et cloud, ainsi que des solutions de détection et de réponse étendues (XDR), de détection et de réponse aux menaces liées à l’identité (ITDR) et de SIEM de nouvelle génération. Associées à des services de conseil spécialisés, ces capacités aident les entreprises à réduire leurs risques de manière proactive et à répondre plus rapidement, tout en bénéficiant de la visibilité et de l’évolutivité nécessaires pour garder une longueur d’avance sur les menaces en constante évolution.
Sophos commercialise ses produits via un écosystème mondial de partenaires, comprenant des fournisseurs de services managés (MSP), des fournisseurs de services de sécurité managés (MSSP), des revendeurs et distributeurs, une marketplace d’intégrations et des partenaires spécialisés dans les cyber risques. Cette stratégie offre aux entreprises la flexibilité nécessaire pour choisir des partenaires de confiance pour protéger leurs opérations.  Le siège de l’entreprise est basé à Oxford, au Royaume-Uni. Plus d’informations sont disponibles sur www.sophos.fr.