Conti and Karma actors attack healthcare provider at same time through ProxyShell exploits

Kongo

Level 35
Thread author
Verified
Top Poster
Well-known
Feb 25, 2017
2,481
In early December, a healthcare provider in Canada was hit by two separate ransomware actors with very different tactics. The first ransomware group, identified as Karma, exfiltrated data but did not encrypt the target’s systems—because the targeted organization was in healthcare, they claimed in the ransom note dropped on the target’s PCs.
The second group, identified as Conti, came onto the network later, but had no such reservations. Less than a day after the Karma gang dropped their ransom notes, the Conti actors deployed their ransomware. Sophos’ Rapid Response team had just begun talking with the targeted company hours earlier, and the customer had not yet deployed Sophos’ software to the portion of the network where ransomware had been staged by the Conti gang. Existing (non-Sophos) anti-malware measures did not impede the attack.
We have several cases of ransomware affiliates using ProxyShell to penetrate victims’ networks recently, including affiliates of Conti. And we have seen past examples of multiple actors exploiting the same vulnerability to gain access to a victim. But , very few of those cases have involved two simultaneous ransomware groups.

Source: Conti and Karma actors attack healthcare provider at same time through ProxyShell exploits
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top