By using this site, you agree to the Privacy Policy and Terms & Conditions.
Accept
Okay.ngOkay.ngOkay.ng
Font ResizerAa
  • News
    • Politics
  • Entertainment
  • Business & Economy
  • Sport
  • Tech
Reading: Sophos Research Details How Conti Gang, Karma Dual Ransomware Attack Hold Business Hostage
Share
Font ResizerAa
Okay.ngOkay.ng
  • News
  • Entertainment
  • Business & Economy
  • Sport
  • Tech
Search
  • News
    • Politics
  • Entertainment
  • Business & Economy
  • Sport
  • Tech
Follow US
  • About Okay.ng
  • Advertising on Okay.ng
  • Contact Okay.ng
  • Careers
  • Meet the Team behind Okay.ng
  • Ownership and Funding of Okay.ng
  • Editorial Principles at Okay.ng
© OKN MEDIA PUBLISHING 2022 - All rights reserved
Featured

Sophos Research Details How Conti Gang, Karma Dual Ransomware Attack Hold Business Hostage

Yusuf Abubakar
By Yusuf Abubakar
Published: March 9, 2022
Share
5 Min Read
Sophos
Sophos
SHARE

Sophos, a global leader in next-generation cybersecurity, today released findings of a dual ransomware attack where extortion notes left by Karma ransomware operators were encrypted 24 hours later by Conti, another ransomware gang that was in the target’s network at the same time.

Sophos details the dual attacks in the article, “Conti and Karma Actors Attack Healthcare Provider at Same Time Through ProxyShell Exploits,” explaining how both operators gained access to the network through an unpatched Microsoft Exchange Server, but then used different tactics to implement their attacks.

“To be hit by a dual ransomware attack is a nightmare scenario for any organization. Across the estimated timeline there was a period of around four days when the Conti and Karma attackers were simultaneously active in the target’s network, moving around each other, downloading and running scripts, installing Cobalt Strike beacons, collecting and exfiltrating data, and more,” said Sean Gallagher, senior threat researcher, Sophos. “Karma deployed the final stage of its attack first, dropping an extortion notice on computers demanding a bitcoin payment in exchange for not publishing stolen data. Then Conti struck, encrypting the target’s data in a more traditional ransomware attack. In a strange twist, the Conti ransomware encrypted Karma’s extortion notes.

“We have seen several cases recently where ransomware affiliates, including affiliates of Conti, used ProxyShell exploits to penetrate targets’ networks. We have also seen examples of multiple actors exploiting the same vulnerability to gain access to a victim. However, very few of those cases involved two ransomware groups simultaneously attacking a target and it shows, literally, how crowded and competitive the ransomware landscape has become.”

- Advertisement -

The Dual Attack

Sophos believes that the first incident started on Aug. 10, 2021, when attackers, possibly Initial Access Brokers, used a ProxyShell exploit to gain access to the network and establish a foothold on the compromised server. The Sophos investigation showed that almost four months passed before Karma appeared on Nov. 30, 2021, and exfiltrated more than 52 gigabytes of data to the cloud.

On Dec. 3, 2021, three things happened:

  • The Karma attackers dropped an extortion note on 20 computers, demanding a ransom and explaining that they did not encrypt the data because the target was a healthcare provider
  • Conti was quietly operating in the background also exfiltrating data
  • The target started onboarding Sophos’ incident response team to help with Karma

While Sophos was onboarding, Conti deployed its ransomware on Dec. 4, 2021. Sophos subsequently tracked the start of the Conti attack to another ProxyShell exploit leveraged on Nov. 25, 2021.

- Advertisement -

“Whether the initial access broker sold access to two different ransomware affiliates, or whether the vulnerable Exchange server was just an unlucky target for multiple ransomware operators, the fact that a dual attack was possible is a powerful reminder to patch widely known, internet-facing vulnerabilities at the earliest opportunity,” said Gallagher. “Defense-in-depth is vital for identifying and blocking attackers at any stage of the attack chain, while proactive, human-led threat hunting should investigate all potentially suspicious behavior, such as unexpected remote access service logins or the use of legitimate tools outside the normal pattern, as these could be early warning signs of an imminent ransomware attack.”

Sophos endpoint products, such as Intercept X, protect users by detecting the actions and behaviors of ransomware and other attacks, such as those described in this Sophos research. 

For further information read the article, “Conti and Karma Actors Attack Healthcare Provider at Same Time Through ProxyShell Exploits.”

Additional Resources

  • Further details on the evolving cyberthreat landscape can be found in the Sophos 2022 Threat Report
  • Tactics, techniques, and procedures (TTPs) and more for different types of threats are available on SophosLabs Uncut, which provides Sophos’ latest threat intelligence
  • Information on attacker behaviors, incident reports and advice for security operations professionals is available on Sophos News SecOps
  • Learn more about Sophos’ Rapid Response Service that contains, neutralizes and investigates attacks 24/7
  • The four top tips for responding to a security incident  from Sophos Rapid Response and the Managed Threat Response Team
  • Read the latest security news and views on Sophos’ award-winning news website Naked Security and on Sophos News 
Stay Updated on the Go with Our Latest News—Join Our WhatsApp Channel Now!
TAGGED:Sophos
Share This Article
Facebook Whatsapp Whatsapp Telegram Email Copy Link Print
ByYusuf Abubakar
Follow:
Yusuf Abubakar, Born in the mid-’90s, a recipient of various meritorious awards, a passionate entrepreneur, an advocate of good governance, a toast master and a patriotic Nigerian.
Previous Article Coca-Cola, PepsiCo say they will halt business in Russia
Next Article Olumide Akpata NBA condemns Umahi’s reaction to court order

Connect with Okay on Social

FacebookLike
XFollow
InstagramFollow
TelegramFollow

Dollar/Naira Rates

Dollar to Naira Exchange Rate

Okay.ng Logo
Buy Rate ₦1,605.00
Sell Rate ₦1,620.00

Last updated: 6 days ago (June 3, 2025 2:33 pm)

Displayed rates are for informational purposes only and are subject to change.

USD/NGN Converter

- Advertisement -
- Advertisement -
Ad imageAd image
- Advertisement -
Ad imageAd image

Recent Posts

Portugal Edge Spain on Penalties to Clinch Second UEFA Nations League Title
Sport
Tinubu Mourns Seasoned Administrator, Fidelis Kaigama
News
Minister Hanatu Musawa Highlights President Tinubu’s Vision for Nigeria’s Cultural Renaissance at Ojude Oba Festival
News
Tinubu Declares Reconciliation with Sanwo-Olu, Forgives Past Differences
News Top stories
JUST IN: Osimhen Turns Down €75m Al Hilal Move, Keeps European Options Open
Sport Top stories
- Advertisement -
Ad imageAd image

You May Also Like

Lucky Orimisan Aiyedatiwa
News

Ondo PDP Accuses Governor Aiyedatiwa of Abandoning Late Akeredolu’s Projects Amid Political Tensions

Oluwadara Akingbohungbe
Oluwadara Akingbohungbe
June 8, 2025
News

Governor Dapo Abiodun Honors Ijebu Heritage at Ojude Oba Festival

Oluwadara Akingbohungbe
Oluwadara Akingbohungbe
June 8, 2025
News

FG Declares Thursday Public Holiday for 2025 Democracy Day

Muhammad A. Aliyu
Muhammad A. Aliyu
June 8, 2025
Okay.ngOkay.ng
Follow US
© OKN MEDIA PUBLISHING 2025 - All rights reserved
  • About Okay.ng
  • Advertising on Okay.ng
  • Contact Okay.ng
  • Careers
  • Meet the Team behind Okay.ng
  • Ownership and Funding of Okay.ng
  • Editorial Principles at Okay.ng
adbanner
Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?