OXFORD, U.K.  — Fevereiro 28, 2022 —

Sophos, a global leader in next-generation cybersecurity, today released findings of a dual ransomware attack where extortion notes left by Karma ransomware operators were encrypted 24 hours later by Conti, another ransomware gang that was in the target’s network at the same time. Sophos details the dual attacks in the article, “Conti and Karma Actors Attack Healthcare Provider at Same Time Through ProxyShell Exploits,” explaining how both operators gained access to the network through an unpatched Microsoft Exchange Server, but then used different tactics to implement their attacks.

“To be hit by a dual ransomware attack is a nightmare scenario for any organization. Across the estimated timeline there was a period of around four days when the Conti and Karma attackers were simultaneously active in the target’s network, moving around each other, downloading and running scripts, installing Cobalt Strike beacons, collecting and exfiltrating data, and more,” said Sean Gallagher, senior threat researcher, Sophos. “Karma deployed the final stage of its attack first, dropping an extortion notice on computers demanding a bitcoin payment in exchange for not publishing stolen data. Then Conti struck, encrypting the target’s data in a more traditional ransomware attack. In a strange twist, the Conti ransomware encrypted Karma’s extortion notes.

“We have seen several cases recently where ransomware affiliates, including affiliates of Conti, used ProxyShell exploits to penetrate targets’ networks. We have also seen examples of multiple actors exploiting the same vulnerability to gain access to a victim. However, very few of those cases involved two ransomware groups simultaneously attacking a target and it shows, literally, how crowded and competitive the ransomware landscape has become.”

The Dual Attack

Sophos believes that the first incident started on Aug. 10, 2021, when attackers, possibly Initial Access Brokers, used a ProxyShell exploit to gain access to the network and establish a foothold on the compromised server. The Sophos investigation showed that almost four months passed before Karma appeared on Nov. 30, 2021, and exfiltrated more than 52 gigabytes of data to the cloud.

On Dec. 3, 2021, three things happened:

  • The Karma attackers dropped an extortion note on 20 computers, demanding a ransom and explaining that they did not encrypt the data because the target was a healthcare provider
  • Conti was quietly operating in the background also exfiltrating data
  • The target started onboarding Sophos’ incident response team to help with Karma

While Sophos was onboarding, Conti deployed its ransomware on Dec. 4, 2021. Sophos subsequently tracked the start of the Conti attack to another ProxyShell exploit leveraged on Nov. 25, 2021.

karma-extortion-attack-flow

 

conti-attack-probable-flow

 

“Whether the initial access broker sold access to two different ransomware affiliates, or whether the vulnerable Exchange server was just an unlucky target for multiple ransomware operators, the fact that a dual attack was possible is a powerful reminder to patch widely known, internet-facing vulnerabilities at the earliest opportunity,” said Gallagher. “Defense-in-depth is vital for identifying and blocking attackers at any stage of the attack chain, while proactive, human-led threat hunting should investigate all potentially suspicious behavior, such as unexpected remote access service logins or the use of legitimate tools outside the normal pattern, as these could be early warning signs of an imminent ransomware attack.”

Sophos endpoint products, such as Intercept X, protect users by detecting the actions and behaviors of ransomware and other attacks, such as those described in this Sophos research. 

For further information read the article, “Conti and Karma Actors Attack Healthcare Provider at Same Time Through ProxyShell Exploits.”

Sobre a Sophos

Líder em segurança cibernética, a Sophos trabalha na defesa de 600.000 organizações mundialmente com uma plataforma impulsionada por IA e serviços conduzidos por peritos. A Sophos atende às organizações em qualquer estágio de sua maturidade em segurança e acompanha o seu crescimento para vencer a luta cibernética. Suas soluções combinam Machine Learning, automação e inteligência de ameaça em tempo real com a perícia humana do Sophos X-Ops na linha de frente para prestar 24 horas diárias de serviços avançados de monitoramento, detecção e resposta.
A Sophos oferece serviço gerenciado de detecção e resposta (MDR) líder do setor, acompanhado de um extenso portfólio de tecnologias de segurança cibernética — incluindo segurança de endpoint, rede, e-mail e nuvem, detecção e resposta estendidas (XDR), detecção e resposta a ameaças à identidade (ITDR) e SIEM Next-Gen. Em conjunto com serviços de consultoria especializada, esses recursos ajudam as organizações a reduzir riscos e acelerar respostas proativamente, com a visibilidade e escalabilidade necessárias para ficar à frente das ameaças.
A Sophos se coloca no mercado com um ecossistema de parcerias globais, incluindo Provedores de serviços gerenciados (MSPs), Provedores de serviços de segurança gerenciados (MSSPs), revendas e distribuidores, integrações no Marketplace e parceiros de risco cibernético, dando flexibilidade às organizações para escolher relações de confiança ao proteger seus negócios.  A Sophos está sediada em Oxford, no Reino Unido. Mais informações se encontram disponíveis no site www.sophos.com.