According to the cybersecurity company Morphisec, a new ransomware group known as ELENOR-corp is targeting the healthcare sector. Researchers confirmed that ELENOR-corp is utilizing version 7.5 of Mimic ransomware, a ransomware strain first discovered in 2022.
The new ransomware variant was discovered during a breach investigation at a healthcare entity and seems to be associated with an earlier Clipper malware attack. Clipper malware is a clipboard hijacker coded using Python. The malware is installed with a cryptocurrency miner and takes daily snapshots of user activity. This makes it possible to steal user credentials to re-enter the victim’s system. The researchers confirmed the deployment of Clipper malware by the same threat actors. Preliminary access was acquired about a week before the deployment of the ransomware payload.
After getting access to the healthcare organization’s system, the group went laterally and breached several servers through Remote Desktop Protocol (RDP), utilizing tools like IOBit Unlocker and Process Hacker. The attackers made local accounts on breached servers and attempted propagation using a local admin account. The ransomware group used various tools like Mimikatz for credential harvesting, NetScan for network discovery, Mssm.exe for persistent services creation, PEView for executable inspection, and Edge browsers for uploading stolen information to Mega.nz.
Mimic 7.5 has the following new functions:
- command-line access irrespective of system constraints
- supporting the use of the sticky-keys technique to allow remote command execution without having user credentials
- deliberately unmounts virtual drives to avoid storage of hidden data
- uses Windows APIs to encrypt remote network sharing
- eliminates the Windows recovery settings and system state backup copies
After encrypting files, the attacker puts a ransom note on the Desktop and sets up registry-based persistence, initiating Notepad every time the device restarts to show the ransom note. The ransomware likewise writes the ransom note into the Windows Legal Notice registry keys to make sure it is shown at the system login screen.
Morphisec advises adjusting RDP controls with multi-factor authentication, checking for forensic tampering, and backing up all important information and storing it safely offline. Implementing HIPAA encryption is also helpful. The report and analysis consist of Indicators of Compromise (IoCs) for system defenders.
Image credit: utah51, AdobeStock
