Security experts at Sophos have reported a recent scenario in which two competing threat groups deployed ransomware on the victim’s network simultaneously. One of the groups was the Russia-linked Conti APT while the other is known as Karma. Karma counts Russian IP addresses among some of its top targets. The latter APT had already infiltrated the victim’s network via initial entry from an access broker, and waited until late November to take further action. Karma then sold access to the compromised network, in this case, Conti. Karma actors knew that the victim was a healthcare organization, and chose to steal data and threaten to leak that data if payment was not made.
Although 52GB of data was stolen, the organization’s computer systems were not encrypted. Then, Conti began uploading data in a full-scale assault on the target’s network. Conti began its attack on the 2nd of December, and began encrypting systems on the 3rd. The attack occurred so quickly that Karma was still in the process of dropping notes on compromised machines. It is believed that both of the attacks leveraged an unpatched Microsoft Exchange mail server vulnerable to the ProxyShell bugs.
Read More: Healthcare Org Hit By Two Ransomware Gangs At Once