A ransomware attack on a Canadian healthcare organization in late 2021 saw two separate threat actors simultaneously inside a company’s network, one exfiltrating data and the other encrypting information, a new Sophos report said.
Karma ransomware operatives demanded bitcoin payment in a ransom note and, less than a day later, Conti, which was simultaneously haunting the same network, encrypted it and the target’s data. Karma said it did not encrypt the exfiltrated data because its target was a medical facility. But Conti had no such modesty.
Two Ransomware Groups Invade One Network?
It’s not at all unusual for a ransomware crew to deploy multiple tactics to squeeze their victims for money but it is out of the ordinary for one target to be hit by two separate gangs acting at the same time independently from one another. “We have seen past examples of multiple actors exploiting the same vulnerability to gain access to a victim,” Sophos researcher Sean Gallagher wrote in a blog post. “But very few of those cases have involved two simultaneous ransomware groups.”
The medical facility extortion comes on the heels of the Conti gang’s vitriolic announcement of its pro-Russia support of the Kremlin’s invasion of Ukraine. The gang threatened to use all of its "possible resources to strike back at the critical infrastructures of an enemy." Two days later, however, Conti’s pro-Russia support cracked a bit when an unidentified hacker, an apparent Ukraine supporter, leaked 13 months of the crime gang’s internal chats. (See Ukraine-Russia conflict and associated cyberattack updates here.)
In the case of the Canadian healthcare attack, both hacker crews gained network access through a vulnerability in Microsoft Exchange Server, Sophos said. The first intrusion using the exploit was on August 10, 2021, according to the blog. A second set of intrusions using the ProxyShell exploit chain occurred on November 11. Both attackers gained entry via ProxyShell exploits (targeting CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 on Microsoft’s Exchange Server platform). On November 30, Karma exfiltrated 52 gigabytes of data.
On December 3 Karma’s ransom note appeared on employees’ workstations and servers, saying that data had been exfiltrated but not encrypted in deference to the healthcare organization’s status.
Sophos Security Guidance to MSSPs, MSPs and Customers
Four takeaways from the Sophos blog:
- Organizations running Internet-facing software should assume that the vulnerabilities are well-known to malicious actors but may not be to the entities themselves.
- Organizations of any size can lag behind on vulnerability management, which is why having multiple layers of defense against malicious activity is important.
- The three-month lag time between infection and ransom activity suggests that an “access broker” found the ProxyShell vulnerability and sold it to Karma and Conti affiliates.
- Despite network monitoring and some malware defenses, both attackers in this case were able to largely accomplish their tactical goals.