ELENOR-Corp Ransomware Group Targets Healthcare with New Mimic Ransomware Variant
The healthcare sector is being targeted by a new ransomware group called ELENOR-corp, according to the cybersecurity firm Morphisec. Researchers determined that ELENOR-corp was using a new version of Mimic ransomware (version 7.5), a ransomware strain first identified in 2022.
The new ransomware variant was identified during an incident investigation at a healthcare victim and appears to be linked to a previous Clipper malware infection. Clipper malware is a Python-based clipboard hijacker used for credential theft. The malware is thought to have allowed re-entry to the victim’s environment. The malware took daily snapshots of user activity and was installed along with a cryptocurrency miner. The researchers determined with a high degree of probability that Clipper malware had been deployed by the same threat actors. Initial access was gained around a week before the ransomware payload was deployed.
After gaining access to the healthcare provider’s environment, the group moved laterally and compromised multiple servers via Remote Desktop Protocol (RDP), using tools such as Process Hacker and IOBit Unlocker. The attackers created local accounts on compromised servers and tried propagating using a local administrator account. The group used a variety of tools such as NetScan for network discovery, Mimikatz for credential harvesting, PEView for executable inspection, Mssm.exe to create persistent services, and Edge browsers to upload stolen data to Mega.nz.
Mimic 7.5 has several new functions, such as ensuring command-line access regardless of system restrictions, helping to use the sticky-keys technique that enables remote command execution without user credentials. The ransomware also forcibly unmounts virtual drives to prevent hidden data storage, encrypts remote network shares using Windows APIs, and destroys the Windows recovery environment and system state backups. After file encryption, the ransomware dropped a ransom note on the Desktop and established registry-based persistence, launching Notepad each time the device reboots to display the ransom note. The ransomware also writes the ransom demand into the Windows Legal Notice registry keys to ensure it is displayed at the system login screen.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Morphisec recommends strengthening RDP configurations with multi-factor authentication, monitoring for forensic tampering, and ensuring backups are created of all critical data and are stored securely offline. The report and analysis include Indicators of Compromise (IoCs) for network defenders.
