What’s worse than being hit by a ransomware attack out of the blue? In early December, a Canadian organization discovered the answer in the worst possible way: get ransomed by a second, entirely different attack, on the same day.
Being attacked simultaneously by two different ransomware groups is supposed to be rare—or perhaps it’s just that victims aren’t in a hurry to advertise being compromised twice, so it seems less common than it is.
Either way, the dual attack documented by security vendor Sophos on the unnamed healthcare company makes for stressful if informative reading.
Attack 1
The first attack unfolded first thing on Dec. 3, 2021, when IT staff were told that ransomware notes from the Karma group had appeared on the screens of about 20 computers.
The small piece of good news is that when the attackers realized the organization operated in healthcare, as an act of mercy they decided not to encrypt any files. Instead, the attackers had exfiltrated 52 GB of data, which would presumably be publicly released if a ransom wasn’t paid.
Attack 2
Within hours of the organization engaging the services of the Sophos Rapid Response service to help with the Karma attack, a second ransomware attack struck, this time the work of the Conti group (the internal logs of this infamous group were coincidentally recently leaked over their support for Russia’s invasion of Ukraine). This more orthodox attack exfiltrated 10.7 GB of data before encrypting files on an unspecified number of workstations.
How did this happen?
The fact the attacks happened within hours of one another was a coincidence, but the timeline for each, and the techniques used, are nevertheless revealing.
According to Sophos, the origin of the Karma compromise started months earlier in August when an attacker exploited the well-publicized Microsoft Exchange ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207).
This made it possible to create a rogue admin account, which retrieved scripts from remote servers to spread, with the goal of setting up persistent access. The attack then went into hibernation—Sophos speculates that this suggests the attacker sold access to a second group—which weeks later used Remote Desktop Protocol (RDP) to connect to the admin account and install the Cobalt Strike pen testing tool that’s become popular with ransomware hackers.
The second attack, by Conti, achieved a compromise on Nov. 25 by exploiting the same Exchange ProxyShell flaws, and Cobalt Strike/remote RDP access method.
The Learning
In a way, the victim was lucky—it had engaged a security vendor to help it just before the second attack struck. This shortened the incident response window.
As to the root causes, the unpatched Exchange vulnerabilities allowed both groups to launch the compromise in the first place. It’s not clear what delayed patching, but it appears the organization didn’t protect all servers with anti-malware, another oversight.
There was a time when defenders had a grace period to patch. No more. When flaws in popular business software products become public knowledge, threat groups start scanning immediately, building inventories of vulnerable systems to target.
On this occasion, two separate groups picked up on the organization’s vulnerability. At that point, it becomes a race to see which group can extort first. What started as a software flaw in a healthcare company ended with that organization being fought over like a hunk of prize meat.
With the involvement of Sophos, the victim was able to clean the infection and, presumably, return to a somewhat chastened normality. As for the lost data, that’s gone forever and can’t be un-stolen. The negative consequences of that part of the attack lie in the future.