Conti and Karma ransomware groups attacked a healthcare provider simultaneously using the same unpatched Microsoft Exchange Server.
While it’s common for ransomware groups to apply double and triple extortion tactics against their victims, it’s quite uncommon for several different groups to attack the same target at the same time.
According to Sean Gallagher, a Senior Threat Researcher at Sophos, in early December, a healthcare provider in Canada was hit by two ransomware actors using different tactics.
While Karma ransomware group exfiltrated data but chose not to encrypt data due to the victim being in healthcare, Conti, unsurprisingly, had no such restraint.
“To be hit by a dual ransomware attack is a nightmare scenario for any organization. Across the estimated timeline, there was a period of around four days when the Conti and Karma attackers were simultaneously active in the target’s network,” Gallagher said.
According to the report, both attackers gained entry via ProxyShell exploits. ProxyShell is an attack chain designed to exploit three separate vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) on Microsoft’s Exchange Server platform.
While, according to Gallagher, it’s not uncommon for ransomware gangs to use ProxyShell exploits to penetrate victim’s networks, it’s very rare to see several groups focusing on the same target.
“However, very few of those cases involved two ransomware groups simultaneously attacking a target, and it shows, literally, how crowded and competitive the ransomware landscape has become,” Gallagher said.
Sophos believes that initial access brokers likely penetrated the network on August 10. Three months later, on November 30, Karma appeared and exfiltrated 52 gigabytes of data.
Even though the Karma gang dropped a ransomware note on December 3, the group did not encrypt the data belonging to a healthcare provider.At the same time, Conti ransomware was exfiltrating the data. On December 4, the group deployed ransomware from compromised servers and encrypted organizations’ data.
“Whether the initial access broker sold access to two different ransomware affiliates, or whether the vulnerable Exchange server was just an unlucky target for multiple ransomware operators, the fact that a dual attack was possible is a powerful reminder to patch widely known, internet-facing vulnerabilities at the earliest opportunity,” Gallagher explained.
The last 18 months were ripe with major high-profile cyberattacks, such as the SolarWinds hack, attacks against the Colonial Pipeline, meat processing company JBS, and software firm Kaseya.
While pundits talk of a ransomware gold rush, research shows that a staggering 74% of all ransomware revenue went to threat actors affiliated with Russia last year.
In other words, around $400 million worth of cryptocurrency ended up filling the pockets of cyber criminals connected to Russia in some form.
Conti is also a Russia-linked ransomware gang. After Russia invaded Ukraine, the group declared its full support for the Russian government.
Apparently, not everyone was happy with the announcement. An unidentified hacker released 13 months’ worth of leaked communications from Conti group members and affiliates.
“The contents of the first [information] dump contain the chat communications – current, as of today – of the Conti ransomware gang. We promise it is very interesting,” the statement on the leak said.
More from Cybernews:
Subscribe to our newsletter