This is what happens when two ransomware gangs hack the same target - at the same time

To be hit by a dual ransomware attack is a nightmare scenario for any organisation, say security researchers.
Written by Danny Palmer, Senior Writer

A healthcare provider fell victim to two simultaneous cyberattacks by two separate ransomware gangs using different techniques to exploit unpatched security vulnerabilities in Microsoft Exchange Server at the same time, which even led to the second ransomware attack encrypting the ransom note left by the first. 

Detailed by cybersecurity researchers at Sophos, the cyberattacks against the undisclosed Canadian healthcare provider took place in early December 2021, although the investigation into the attacks revealed that the first intrusion into the network took place months beforehand in August. 

It's likely that this first compromise was by an initial access broker, a cyber criminal who looks for vulnerabilities in networks, compromises them and sells access to others on underground forums. 

SEE: Cybersecurity: Let's get tactical (ZDNet special report)

While both campaigns exploited ProxyShell vulnerabilities on Microsoft's Exchange platform (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207), the two ransomware gangs went about it in different ways. 

The first ransomware group to reveal their attack, identified as Karma, accessed the network on November 30, connecting with an administrator account from a compromised workstation over Remote Desktop Protocol (RDP) functions. Then they used penetration testing tool Cobalt Strike and PowerShell beacons to help gain additional access to the compromised network. 

The Karma attackers also accessed the vulnerable server by RDP, in order to steal over 52GB of data before dropping a ransom note on over 20 computers on December 3. The cyber criminals noted they didn't encrypt the machines because the victim was a healthcare organisation, but they demanded a ransom payment for the return of the stolen data.  

But while this was happening, the network was already compromised by a separate and unrelated cyberattack by Conti, one of the most notorious ransomware gangs, responsible for a string of high-profile attacks

Conti actually gained access to the network before Karma, dropping a ProxyShell exploit to gain access to the same server on November 25. The next stage followed on December 1 when an attacker used a hacked local administrator account to download and install Cobalt Strike beacons and execute PowerShell for lateral movement around the network and collecting data. 

The Conti attackers also exploited compromised RDP credentials in the next stage of the attack, to upload all the data stolen from the servers. Like Karma, this amounted to 52GB of files, which were uploaded to cloud storage. 

It's after the data was stolen that the Conti ransomware payload was dropped from compromised servers, encrypting the healthcare organisation's data a second time – including the earlier ransom notes left by Karma.  

"To be hit by a dual ransomware attack is a nightmare scenario for any organisation. Across the estimated timeline there was a period of around four days when the Conti and Karma attackers were simultaneously active in the target's network, moving around each other," said Sean Gallagher, senior threat researcher at Sophos. 

SEE: Security researchers spot another form of wiper malware

Researchers haven't publicly detailed how the ransomware attacks were resolved, but both Karma and Conti exploited vulnerabilities in Microsoft Exchange that emerged months ahead of the initial network compromise. If the organisation had been able to apply the relevant security updates in a more urgent manner, cyber criminals wouldn't have been able to exploit Microsoft Exchange as an attack vector in the first place. 

Despite network monitoring and some malware protection being in place, both sets of attackers were able to operate inside the network without being detected, a reminder that information security teams should be on the lookout for potentially suspicious behavior to help prevent fully fledged cyber incidents. 

"Defense-in-depth is vital for identifying and blocking attackers at any stage of the attack chain, while proactive, human-led threat hunting should investigate all potentially suspicious behavior, such as unexpected remote access service logins or the use of legitimate tools outside the normal pattern, as these could be early warning signs of an imminent ransomware attack," said Gallagher. 


Editorial standards