OXFORD, U.K.  — 二月 28, 2022 —

Sophos, a global leader in next-generation cybersecurity, today released findings of a dual ransomware attack where extortion notes left by Karma ransomware operators were encrypted 24 hours later by Conti, another ransomware gang that was in the target’s network at the same time. Sophos details the dual attacks in the article, “Conti and Karma Actors Attack Healthcare Provider at Same Time Through ProxyShell Exploits,” explaining how both operators gained access to the network through an unpatched Microsoft Exchange Server, but then used different tactics to implement their attacks.

“To be hit by a dual ransomware attack is a nightmare scenario for any organization. Across the estimated timeline there was a period of around four days when the Conti and Karma attackers were simultaneously active in the target’s network, moving around each other, downloading and running scripts, installing Cobalt Strike beacons, collecting and exfiltrating data, and more,” said Sean Gallagher, senior threat researcher, Sophos. “Karma deployed the final stage of its attack first, dropping an extortion notice on computers demanding a bitcoin payment in exchange for not publishing stolen data. Then Conti struck, encrypting the target’s data in a more traditional ransomware attack. In a strange twist, the Conti ransomware encrypted Karma’s extortion notes.

“We have seen several cases recently where ransomware affiliates, including affiliates of Conti, used ProxyShell exploits to penetrate targets’ networks. We have also seen examples of multiple actors exploiting the same vulnerability to gain access to a victim. However, very few of those cases involved two ransomware groups simultaneously attacking a target and it shows, literally, how crowded and competitive the ransomware landscape has become.”

The Dual Attack

Sophos believes that the first incident started on Aug. 10, 2021, when attackers, possibly Initial Access Brokers, used a ProxyShell exploit to gain access to the network and establish a foothold on the compromised server. The Sophos investigation showed that almost four months passed before Karma appeared on Nov. 30, 2021, and exfiltrated more than 52 gigabytes of data to the cloud.

On Dec. 3, 2021, three things happened:

  • The Karma attackers dropped an extortion note on 20 computers, demanding a ransom and explaining that they did not encrypt the data because the target was a healthcare provider
  • Conti was quietly operating in the background also exfiltrating data
  • The target started onboarding Sophos’ incident response team to help with Karma

While Sophos was onboarding, Conti deployed its ransomware on Dec. 4, 2021. Sophos subsequently tracked the start of the Conti attack to another ProxyShell exploit leveraged on Nov. 25, 2021.

karma-extortion-attack-flow

 

conti-attack-probable-flow

 

“Whether the initial access broker sold access to two different ransomware affiliates, or whether the vulnerable Exchange server was just an unlucky target for multiple ransomware operators, the fact that a dual attack was possible is a powerful reminder to patch widely known, internet-facing vulnerabilities at the earliest opportunity,” said Gallagher. “Defense-in-depth is vital for identifying and blocking attackers at any stage of the attack chain, while proactive, human-led threat hunting should investigate all potentially suspicious behavior, such as unexpected remote access service logins or the use of legitimate tools outside the normal pattern, as these could be early warning signs of an imminent ransomware attack.”

Sophos endpoint products, such as Intercept X, protect users by detecting the actions and behaviors of ransomware and other attacks, such as those described in this Sophos research. 

For further information read the article, “Conti and Karma Actors Attack Healthcare Provider at Same Time Through ProxyShell Exploits.”

关于 Sophos

Sophos 是全球领先的先进安全解决方案提供商和创新者,全面安全解决方案涵盖托管式侦测与响应 (MDR) 和事件响应服务,以及广泛的端点、网络、电子邮件和云安全技术。作为最大的纯网络安全厂商之一,Sophos 为全球超过 600,000 家企业和超过 1 亿用户提供防御主动攻击对手、勒索软件、网络钓鱼、恶意软件等威胁的保护。Sophos 的服务和产品通过 Sophos Central 管理控制台连接,并得到公司内部的跨领域威胁情报部门 Sophos X-Ops 的支持。Sophos X-Ops 情报优化整个 Sophos Adaptive Cybersecurity Ecosystem 自适应网络安全生态体系,包括一个中央数据湖,为客户、合作伙伴、开发人员和其他网络安全与信息技术供应商提供一组丰富的开放 API。Sophos为需要完全托管的安全解决方案的组织提供网络安全即服务。客户还可以直接利用 Sophos 的安全运行平台管理其网络安全,或者采用混合方法,为内部团队补充 Sophos 服务(包括威胁追踪与修复)。Sophos 通过世界各地的经销商合作伙伴和托管服务供应商 (MSP) 销售。Sophos 总部位于英国牛津。如欲了解更多信息,请访问 www.sophos.com