Keypoints
- Qilin (Agenda) attacked Synnovis in June 2024, leaking ~400 GB and data on ~900,000 patients after a failed ransom demand and causing severe clinical disruption.
- Common initial access vectors across groups include phishing, exposed RDP/Citrix/VPN gateways, exploiting known vulnerabilities (e.g., CVE-2023-3519, Log4Shell), and purchased/stolen credentials.
- Credential theft techniques (LSASS dumps via ProcDump, Mimikatz, memory scraping) and Cobalt Strike are repeatedly used for persistence, privilege escalation, and lateral movement.
- Adversaries often perform defense-evasion (clearing event logs, disabling Windows Defender, deleting Volume Shadow Copies) prior to encryption or data exfiltration.
- Some groups (RansomHouse) focus on pure data theft and extortion without encryption, using tools like 7-Zip and rclone to prepare and exfiltrate archives to cloud services.
- Logpoint provides specific alert rules mapped to MITRE techniques to detect stages like credential access, lateral movement, defense evasion, exfiltration, and high-volume file modification.
- Recommended defensive measures for UK healthcare include prioritizing critical systems, tuned alert thresholds, layered detection (network, endpoint, logs, UEBA), MFA/JIT access, segmentation, immutable backups, and continuous staff training.
MITRE Techniques
- [T1078] Valid Accounts â Used via stolen or purchased credentials and RDP/VPN access: âstealing or purchasing valid credentials (acting as an initial access broker)â.
- [T1566] Phishing â Phishing emails are frequently used for initial access: âphishing emails carrying malwareâ and âphishing, malicious email attachmentsâ.
- [T1210] Exploitation of Remote Services â Exploiting exposed services and CVEs (e.g., Citrix ADC CVE-2023-3519, Log4Shell) to gain initial access: âexploiting a Citrix ADC VPN flaw CVE-2023-3519â and âexploit unpatched vulnerabilities (such as the Log4j âLog4Shellâ flaw)â.
- [T1055] Process Injection / Process Hollowing â Used to evade defenses and run malicious code in legitimate processes: âProcess Hollowing Detectedâ and âIdentifies code injection into legitimate processesâ.
- [T1003] OS Credential Dumping â Memory scraping of LSASS using Mimikatz or ProcDump to harvest credentials: âdumping LSASS memory, or using tools like Mimikatz or ProcDump to grab user passwordsâ.
- [T1021] Remote Services (PsExec, RDP, SMB) â Lateral movement using PsExec, RDP, SMB or remote admin tools: âmove laterally via PsExec, RDP or even remote tools like AnyDesk and TightVNCâ.
- [T1071] Application Layer Protocol (C2 with Cobalt Strike) â Use of Cobalt Strike beacons for command-and-control and persistence: âuse tools like Cobalt Strike beacons for persistenceâ.
- [T1490] Inhibit System Recovery (Shadow Copy Deletion) â Deleting Volume Shadow Copies to prevent recovery: âdeleting Volume Shadow Copies to inhibit backupsâ and âShadow Copy Deletion Using OS Utilities Detectedâ.
- [T1112] Modify Registry (Disable Security Tools) â Disabling Windows Defender via registry or other means to evade detection: âWindows Defender Antivirus Disable Detectedâ and âSuspicious Windows Defender Registry Keys Modificationâ.
- [T1070] Indicator Removal on Host (Event Log Clearing) â Clearing event logs to remove forensic evidence: âEventlog Cleared Detectedâ and âTriggers on actions like wevtutil used to wipe forensic logsâ.
- [T1041] Exfiltration Over C2 Channel / Cloud Storage â Exfiltration to cloud services (Mega, Dropbox) or using rclone: âExfiltration over Cloud Application Detectedâ and âRClone Utility Executionâ.
- [T1486] Data Encrypted for Impact â Ransomware encryption campaigns producing high volumes of file modifications: âHigh Volume of File Modification or Deletion in a Short Spanâ and references to AES/ChaCha20/AES+RSA-4096 usage.
- [T1098] Account Manipulation (Scheduled Tasks / Admin Account Creation) â Creation of scheduled tasks or admin accounts for persistence: âScheduled Task Creation Detectedâ and âSuspicious Admin Account Creation Detectedâ.
Indicators of Compromise
- [File Names / Tools] Credential theft and exfiltration tools â examples: Mimikatz, ProcDump, rclone, and 7-Zip (used to compress data for exfiltration).
- [Domains / Cloud Services] Cloud storage exfiltration destinations â examples: Mega, Dropbox (noted as targets for uploaded exfiltrated data).
- [Vulnerabilities / CVEs] Exploited vulnerabilities â example: CVE-2023-3519 (Citrix ADC), and Log4Shell (Log4j) exploitation noted.
- [Behavioral IOCs] High-volume file modification and shadow copy deletion â context: observed prior to encryption; â30 file modifications or deletions within 1 minuteâ and vssadmin/wmic shadow copy deletion activity.
- [Events / Logs] Event log clearing and Defender tampering â context: attackers clear Windows event logs (Event ID 1102/104 referenced) and disable or modify Windows Defender settings/registry keys.
Read more: https://logpoint.com/en/blog/comprehensive-ransomware-detection-for-uk-public-healthcare