Connect with us

Hi, what are you looking for?

HEADLINES

Conti gang encrypts Karma’s extortion notes in dual ransomware attack – Sophos

Sophos details the dual attacks in the article, “Conti and Karma Actors Attack Healthcare Provider at Same Time Through ProxyShell Exploits,” explaining how both operators gained access to the network through an unpatched Microsoft Exchange Server, but then used different tactics to implement their attacks.

Sophos, a global player in next-generation cybersecurity, released findings of a dual ransomware attack where extortion notes left by Karma ransomware operators were encrypted 24 hours later by Conti, another ransomware gang that was in the target’s network at the same time.

Sophos details the dual attacks in the article, “Conti and Karma Actors Attack Healthcare Provider at Same Time Through ProxyShell Exploits,” explaining how both operators gained access to the network through an unpatched Microsoft Exchange Server, but then used different tactics to implement their attacks.

“To be hit by a dual ransomware attack is a nightmare scenario for any organization. Across the estimated timeline there was a period of around four days when the Conti and Karma attackers were simultaneously active in the target’s network, moving around each other, downloading and running scripts, installing Cobalt Strike beacons, collecting and exfiltrating data, and more,” said Sean Gallagher, senior threat researcher, Sophos. “Karma deployed the final stage of its attack first, dropping an extortion notice on computers demanding a bitcoin payment in exchange for not publishing stolen data. Then Conti struck, encrypting the target’s data in a more traditional ransomware attack. In a strange twist, the Conti ransomware encrypted Karma’s extortion notes.

“We have seen several cases recently where ransomware affiliates, including affiliates of Conti, used ProxyShell exploits to penetrate targets’ networks. We have also seen examples of multiple actors exploiting the same vulnerability to gain access to a victim. However, very few of those cases involved two ransomware groups simultaneously attacking a target and it shows, literally, how crowded and competitive the ransomware landscape has become.”

Advertisement. Scroll to continue reading.

The Dual Attack

Sophos believes that the first incident started on Aug. 10, 2021, when attackers, possibly Initial Access Brokers, used a ProxyShell exploit to gain access to the network and establish a foothold on the compromised server. The Sophos investigation showed that almost four months passed before Karma appeared on Nov. 30, 2021, and exfiltrated more than 52 gigabytes of data to the cloud.

On Dec. 3, 2021, three things happened:

  • The Karma attackers dropped an extortion note on 20 computers, demanding a ransom and explaining that they did not encrypt the data because the target was a healthcare provider
  • Conti was quietly operating in the background also exfiltrating data
  • The target started onboarding Sophos’ incident response team to help with Karma

While Sophos was onboarding, Conti deployed its ransomware on Dec. 4, 2021. Sophos subsequently tracked the start of the Conti attack to another ProxyShell exploit leveraged on Nov. 25, 2021.

“Whether the initial access broker sold access to two different ransomware affiliates, or whether the vulnerable Exchange server was just an unlucky target for multiple ransomware operators, the fact that a dual attack was possible is a powerful reminder to patch widely known, internet-facing vulnerabilities at the earliest opportunity,” said Gallagher. “Defense-in-depth is vital for identifying and blocking attackers at any stage of the attack chain, while proactive, human-led threat hunting should investigate all potentially suspicious behavior, such as unexpected remote access service logins or the use of legitimate tools outside the normal pattern, as these could be early warning signs of an imminent ransomware attack.”

Sophos endpoint products, such as Intercept X, protect users by detecting the actions and behaviors of ransomware and other attacks, such as those described in this Sophos research. 

Advertisement. Scroll to continue reading.

Advertisement
Advertisement
Advertisement

Like Us On Facebook

You May Also Like

HEADLINES

Sophos scored the highest overall customer rating of 4.9/5, based on 344 reviews, as of Sept. 30, 2024, with verified customer reviews celebrating Sophos...

HEADLINES

In rigorous evaluations conducted by prestigious cybersecurity testing organizations, Kaspersky Plus (starting in Q4 2024, Kaspersky Premium), Kaspersky Endpoint Security for Business (KESB), and...

HEADLINES

"Given the Philippines' high exposure to cyber threats, it's important for both individuals and businesses to stay vigilant," said Adrian Hia, Managing Director for...

White Papers

When compared to 2023, Sophos saw a 51% increase in abusing “Living off the Land” binaries or LOLbins; since 2021, it’s increased by 83%.

HEADLINES

Someone illegally acquires or uses personal information such as bank account or credit card numbers of another person to obtain money, goods or services....

HEADLINES

To stay ahead of these challenges, organizations need to invest in AI-driven defenses, transition to quantum-safe encryption, and adopt a Zero Trust approach to...

HEADLINES

There was a 121% Year-on-Year (YoY) increase in identity fraud in 2024 across the region, with significant surges recorded in Singapore (207%), Thailand (206%)...

HEADLINES

As part of RCBC’s 2024 Cybersecurity literacy program, the webinar aims to help Filipinos level up their online banking safety by providing them with...

Advertisement