In-Depth Analysis of the Ransomware Attack Targeting Healthcare Organizations – A Comprehensive Investigation

Nina Kovacs — Exploit Research Analyst

Key Takeaways

• Healthcare organizations are increasingly targeted due to their critical data and vulnerability.
• The attack utilized a sophisticated phishing campaign as an initial access vector.
• Indicators of compromise (IOCs) included specific file paths and registry changes associated with the implant.

Executive Summary

During our investigation into a recent wave of ransomware attacks against healthcare entities, we observed a distinct pattern of tactics, techniques, and procedures (TTPs) employed by the actor. The initial access was facilitated through a carefully crafted phishing email, which contained a malicious attachment. Our analysis revealed the actor’s objective was to exfiltrate sensitive patient data before deploying the ransomware payload for monetization. This detailed report summarizes the steps the actor took, highlighting the various techniques leveraged throughout the attack chain.

Initial Access

The attack began with a phishing campaign targeting several healthcare providers. The sample we examined showed that the email contained an attachment masquerading as an urgent document. When executed, this attachment utilized T1203 – Exploit Public-Facing Application to exploit vulnerabilities in Microsoft Office products, thereby delivering a malicious macro. Once the user enabled macros, a secondary payload was downloaded from the actor’s command and control (C2) infrastructure, effectively establishing a foothold within the environment.

Execution & Persistence

Following the initial compromise, we identified that the implant leveraged T1059 – Command-Line Interface execution to perform tasks, including the download of additional malware. The dropper, named “Cov ransomware,” was found in the user’s temporary files located at %TEMP%
andom.exe. We also observed that the actor set up persistence by creating a new registry key at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, allowing the ransomware to automatically execute upon user login. This method of persistence ensured the implant could re-establish itself even after user intervention.

Command and Control

Our analysis revealed the C2 infrastructure used by the actor was meticulously designed to obfuscate their tracks. Using a series of dynamic DNS services, the actor frequently rotated domains to avoid detection. The implant beaconed out to a domain such as malicious-domain.com, following a regular interval which utilized T1071 – Application Layer Protocol to communicate over HTTPS, thus encrypting its traffic. This communication not only served to receive commands but also facilitated the exfiltration of sensitive information collected during the infiltration phase.

Lateral Movement & Discovery

After establishing persistence, the actor employed T1021 – Remote Services to move laterally within the network. Utilizing stolen credentials obtained from credential dumping techniques, they accessed additional systems. This progression was methodical; the actor used T1083 – File and Directory Discovery to locate sensitive files and shares, allowing them to prioritize which data to exfiltrate before execution of the ransomware payload. Furthermore, we noted the use of T1030 – Data Transfer Size Limits, indicating the actor was keen on avoiding detection during data exfiltration by ensuring transfers remained under organizational thresholds.

Impact & Objectives

The ultimate goal of the attack was not merely to disrupt operations through ransomware deployment, but to instill fear and drive urgency in the victims to pay the ransom to regain access to their critical data. The ransomware payload encrypted user files with a robust algorithm, leaving behind a ransom note demanding payment in cryptocurrency. Our investigation into the impact on the healthcare sector detailed a significant operational halt, with many systems compromised, affecting patient care delivery and leading to potential data breaches involving sensitive patient information.

MITRE ATT&CK Mapping

• T1203 – Exploit Public-Facing Application: Exploitation of vulnerabilities in applications to gain initial access.
• T1059 – Command-Line Interface: Execution of commands for further system manipulation and payload delivery.
• T1071 – Application Layer Protocol: Utilization of HTTPS for C2 communication to escape detection.
• T1021 – Remote Services: Lateral movement across the network using stolen credentials.
• T1083 – File and Directory Discovery: Discovery of sensitive files and directories for exfiltration.
• T1030 – Data Transfer Size Limits: Techniques to limit the size of data transferred to avoid detection.

Detection Opportunities

• Implement monitoring for unusual phishing patterns and attachments arriving from external email domains.
• Analyze the creation of suspicious registry keys or modifications related to startup applications.
• Utilize threat intelligence feeds to identify the IP addresses and domains associated with the actor’s C2 communications.

Analyst Notes

This case underscores the evolving nature of ransomware threats, particularly towards vulnerable sectors like healthcare. Continuous education on recognizing phishing attempts and the necessity of employing comprehensive EDR solutions will be critical in mitigating future incidents. As attackers improve their tactics, security teams must remain vigilant and adaptable, leveraging both technology and threat intelligence to stay one step ahead.

Source: Original Report