A healthcare vendor with unpatched Exchange servers and under-protected systems scored a first in the world of cyber incidents.

On 10 August last year, a healthcare provider’s unpatched Microsoft Exchange Server was infiltrated by Karma ransomware attackers. Exfiltration of data (52GB) occurred only on 2 Dec, more than three months later.

Meanwhile, through the same ProxyShell exploit (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207), another ransomware group—Conti—had broken into the system on 25 Nov.

On 3 Dec, the Karma attackers announced the attack by displaying an extortion note on 20 computers demanding a ransom, explaining that no data had been encrypted as the target was a healthcare provider.

Yet, Conti ransomware was lurking the background exfiltrating data (10.7GB), and on 4 Dec, the group launched their own attack with their own ransom note, and even proceeded to encrypt the existing Karma extortion note!

Commenting on this dual ransomware attack, Sean Gallagher, Senior Threat Researcher of the Sophos team handling the incident, said: “To be hit by a dual ransomware attack is a nightmare scenario for any organization. Across the estimated timeline there was a period of around four days when the Conti and Karma attackers were simultaneously active in the target’s network, moving around each other, downloading and running scripts, installing Cobalt Strike beacons, collecting and exfiltrating data, and more. We have seen several cases recently where ransomware affiliates, including affiliates of Conti, used ProxyShell exploits to penetrate targets’ networks. We have also seen examples of multiple actors exploiting the same vulnerability to gain access to a victim. But very few of those cases involved two ransomware groups simultaneously attacking a target.”

Despite network monitoring and some malware defenses, both threat groups largely achieved their tactical goals because only a few systems had Sophos malware protection at the time of the Conti attack. In the few cases where Sophos had been deployed, ransomware protection detected Conti launching, but from servers without protection.