[BreachExchange] Conti Encrypts Karma Ransom Note in Same Victim Network

[Terrell Byrd]

https://www.infosecurity-magazine.com/news/conti-encrypts-karma-ransomware/

Security researchers have revealed how two ransomware groups clashed inside
the same victim organization, with one encrypting the other’s ransom note.

The unnamed Canadian healthcare organization (HCO) was struck by both Conti
and Karma ransomware. However, while the latter stole data but did not
encrypt due to the victim’s status as a healthcare provider, the former had
no such qualms, according to Sophos senior threat researcher, Sean
Gallagher.

“To be hit by a dual ransomware attack is a nightmare scenario for any
organization. Across the estimated timeline there was a period of around
four days when the Conti and Karma attackers were simultaneously active in
the target’s network, moving around each other, downloading and running
scripts, installing Cobalt Strike beacons, collecting and exfiltrating
data, and more,” he explained.

“Karma deployed the final stage of its attack first, dropping an extortion
notice on computers demanding a Bitcoin payment in exchange for not
publishing stolen data. Then Conti struck, encrypting the target’s data in
a more traditional ransomware attack. In a strange twist, the Conti
ransomware encrypted Karma’s extortion notes.”

Karma’s attack began in August when a likely initial access broker found an
unpatched Microsoft Exchange server they compromised via a ProxyShell
exploit. Almost four months then passed before the Karma group picked up
the lead, reconnecting with an admin account from a compromised workstation
over RDP.

They dropped Cobalt Strike beacons with a PowerShell script on multiple
servers, collected data and used a compromised server to upload the files
to a Mega account, Gallagher explained.

The HCO called Sophos to help with the attack once the ransom note landed
on December 3, but just a day later, Conti struck, deploying ransomware to
encrypt its servers.

The group managed to gain an initial foothold by exploiting ProxyShell on
the same exposed server before dropping a web shell, downloading Cobalt
Strike beacons, using PowerShell for lateral movement and then exfiltrating
data.

“These dual ransom attacks highlight the risks associated with well-known
internet-facing software vulnerabilities – at least, ones that are
well-known to malicious actors but may not be to the organizations running
the affected software,” Gallagher concluded.

“All sizes of organizations can fall behind on vulnerability management –
which is why having multiple layers of defense against malicious activity
is important. Malware protection on servers as well as clients can impede
ransomware operators from using unprotected servers to launch their
attacks.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220301/31166525/attachment.html>