Security researchers have revealed how two ransomware groups clashed inside the same victim organization, with one encrypting the other’s ransom note.
The unnamed Canadian healthcare organization (HCO) was struck by both Conti and Karma ransomware. However, while the latter stole data but did not encrypt due to the victim’s status as a healthcare provider, the former had no such qualms, according to Sophos senior threat researcher, Sean Gallagher.
“To be hit by a dual ransomware attack is a nightmare scenario for any organization. Across the estimated timeline there was a period of around four days when the Conti and Karma attackers were simultaneously active in the target’s network, moving around each other, downloading and running scripts, installing Cobalt Strike beacons, collecting and exfiltrating data, and more,” he explained.
“Karma deployed the final stage of its attack first, dropping an extortion notice on computers demanding a Bitcoin payment in exchange for not publishing stolen data. Then Conti struck, encrypting the target’s data in a more traditional ransomware attack. In a strange twist, the Conti ransomware encrypted Karma’s extortion notes.”
Karma’s attack began in August when a likely initial access broker found an unpatched Microsoft Exchange server they compromised via a ProxyShell exploit. Almost four months then passed before the Karma group picked up the lead, reconnecting with an admin account from a compromised workstation over RDP.
They dropped Cobalt Strike beacons with a PowerShell script on multiple servers, collected data and used a compromised server to upload the files to a Mega account, Gallagher explained.
The HCO called Sophos to help with the attack once the ransom note landed on December 3, but just a day later, Conti struck, deploying ransomware to encrypt its servers.
The group managed to gain an initial foothold by exploiting ProxyShell on the same exposed server before dropping a web shell, downloading Cobalt Strike beacons, using PowerShell for lateral movement and then exfiltrating data.
“These dual ransom attacks highlight the risks associated with well-known internet-facing software vulnerabilities – at least, ones that are well-known to malicious actors but may not be to the organizations running the affected software,” Gallagher concluded.
“All sizes of organizations can fall behind on vulnerability management – which is why having multiple layers of defense against malicious activity is important. Malware protection on servers as well as clients can impede ransomware operators from using unprotected servers to launch their attacks.”