Ransomware anatomy: Dual cyberattacks on provider call for vulnerability review

A new Sophos report on the anatomy of simultaneous ransomware attacks against a healthcare provider organization spotlights vulnerability management considerations and variances into attack methods used by different threat groups.

The analysis centers on two ransomware incidents launched against a Canadian provider in December 2021 by Karma and Conti. Both ransomware groups exploited a known, unpatched vulnerability in the Microsoft Exchange platform with ProxyShell exploits. 

Karma was first to hack into the system, gaining access in mid-August and leveraging ProxyShell to download attack scripts from remote servers. The threat actor reconnected with a compromised admin account over a remote desktop protocol to install additional malicious payloads.

The group’s “actual efforts to more deeply penetrate the network began in earnest weeks later.” The provider’s system logs showed more than 20 failed attempts to connect to other servers on the network, finally establishing a successful connection to the admin account on another web application server.

The access enabled the exfiltration of data “pushing 52GB of archived files up to the cloud,” before leaving a ransom note on the impacted machines. The group opted not to encrypt the data, given its healthcare status.

Conti leveraged the same ProxyShell exploits against several Microsoft Exchange vulnerabilities. The hack gave Conti access to the same server on Nov. 25, during the same period where Karma was reconnecting with the compromised admin account. Conti used the access to collect data via RDP to the impacted server to search folders to identify valuable files.

The data harvesting was followed by the installation of a “Chrome browser and WinRar utility on the main file server to exfiltrate archives to the Mega cloud using an RDP session.” Unlike Karma, Conti had no qualms with encrypting the data and deployed its ransomware after stealing the data. The attack was launched the day after Karma left its ransom demand.

Conti’s attack “took place even as Karma was dropping ransom notes on additional systems,” according to the report. “Meanwhile, the targeted organization’s network defenses detected and blocked Cobalt Strike activity coming from one of the organization’s mail servers (not the one serving as point of entry).” 

How other providers can learn from dual ransomware attack

The attacks demonstrate a number of key elements of interest to other healthcare providers.

Namely, attackers can and will compromise multiple accounts to perpetrate varying types of nefarious activities. As the report shows, Sophos was able to recover part of a script from system logs, which showed the attack searched for software of interest on the victim’s network computers on the network, such as anti-malware and backup software that could interfere with the ransomware’s encryption function.

But, perhaps more importantly, the attacks further iterate the importance of securing software vulnerabilities on any tech that faces the internet. At the very least, healthcare organizations should be swiftly moving to secure well-known security gaps, as it doesn’t take long for hackers to take action.

Part of the challenge in healthcare is that the network complexity and overall medical device ecosystem makes it difficult to locate and remediate these flaws. Providers may also be unaware that their devices are using known, vulnerable software in the first place. Last summer, a number of healthcare security leaders shared that closing all gaps is not a feasible task.

Even without those medical devices security challenges, it’s easy for some entities to fall behind in patching. These elements stressed the importance of applying defense-in-depth measures to better protect servers and patient data.

Lastly, the report again highlights the lengthy proliferation period for attackers. In the named instances, the attackers first gained access three months before deploying ransomware even though the provider had both network monitoring and malware defenses.

The report author notes this could suggest “the likelihood of an ‘access broker’ discovering the ProxyShell vulnerability and either offering it for sale on a marketplace or simply sitting on it until ransomware affiliates wanted it.”

“The ransomware was largely run from servers without protection,” the report author added. “As a result, much of the organization’s data was encrypted, as were the Karma ransom notes.”

While difficult, failing to address vulnerability and patch management challenges could lead to similar events in the U.S. healthcare sector. Healthcare entities should review ransomware insights from Mitre and the Office for Civil Rights to ensure they’re addressing these key security areas.