Conti, Karma Ransomware Groups Target 1 Healthcare Org Simultaneously

March 02, 2022 - Two separate ransomware groups orchestrated simultaneous cyberattacks against a Canadian healthcare organization in late 2021, Sophos disclosed in a recent report. Both Karma and Conti targeted the same organization at the same time with very different tactics.

The unusual occurrence serves as a cautionary tale for US healthcare organizations as threat actors continue to aggressively target healthcare around the world.

The attacks both originated from an unpatched Microsoft Exchange Server that the threat actors exploited with ProxyShell to gain access, Sophos said. Karma exfiltrated data, claiming in its ransomware note that it would not encrypt data because the organization was in the healthcare sector.

Conti, a notorious hacking group responsible for over 400 cyberattacks across the US and internationally, deployed ransomware and encrypted the organization’s data without reservations. Conti recently announced on its leak site that it would support Russia’s invasion of Ukraine and use “retaliatory measures” against the US should it attack Russian critical infrastructure.

Conti actors deployed their ransomware less than 14 hours after Karma infiltrated the healthcare organization’s network.

“We have several cases of ransomware affiliates using ProxyShell to penetrate victims’ networks recently, including affiliates of Conti,” Sophos observed.

“And we have seen past examples of multiple actors exploiting the same vulnerability to gain access to a victim. But, very few of those cases have involved two simultaneous ransomware groups.”

Both ransomware groups leveraged known Microsoft Exchange Server vulnerabilities. The threat actors took advantage of Remote Desktop Protocol (RDP) connections and malicious Cobalt Strike beacons. Karma exfiltrated 52 gigabytes of archived files and Conti exfiltrated an additional 10.7 gigabytes of data.

“These dual ransom attacks highlight the risks associated with well-known Internet-facing software vulnerabilities—at least, ones that are well-known to malicious actors but may not be to the organizations running the affected software,” the report continued.

“All sizes of organizations can fall behind on vulnerability management—which is why having multiple layers of defense against malicious activity is important. Malware protection on servers as well as clients can impede ransomware operators from using unprotected servers to launch their attacks.”

Although this case is particularly unusual, it underscores the importance of patching for known internet-facing vulnerabilities and remaining on high alert for cyberattacks. As geopolitical tensions rise, healthcare organizations could become collateral damage in malicious cyberattacks.

“In this case, the initial access came over 3 months before there was any ransomware activity,” the Sophos report noted.

“This suggests the likelihood of an ‘access broker’ discovering the ProxyShell vulnerability and either offering it for sale on a marketplace or simply sitting on it until ransomware affiliates wanted it.”

Even though the Canadian healthcare organization had some malware defenses in place, the threat actors were largely successful in attacking and exfiltrating data.

All healthcare organizations, regardless of size, should prioritize cybersecurity as cyberattacks continue to burden the sector.