A new cybercriminal group called ELENOR-corp is targeting healthcare providers with an upgraded Mimic ransomware designed to bypass defenses and cripple recovery efforts.
What happened
A new ransomware group called ELENOR-corp has emerged, targeting the healthcare industry with a new variant of Mimic ransomware, cybersecurity firm Morphisec reported. The ransomware, identified as version 7.5, was discovered during an incident investigation at a healthcare provider. Researchers found that the attack appeared to follow an earlier infection involving Clipper malware, a Python-based clipboard hijacker used for credential theft and cryptocurrency mining.
Going deeper
The attackers first used Clipper malware to sneak back into the victim’s system and secretly take daily screenshots of what users were doing. About a week later, a group called ELENOR-corp launched a ransomware attack using a virus called Mimic 7.5.
They broke into several servers using Remote Desktop Protocol (RDP), created fake user accounts, and used special tools to explore the network. They also stole passwords with a tool called Mimikatz and uploaded stolen files to Mega.nz using Edge browsers.
Mimic 7.5 had new tricks: it could get around security blocks, use shortcut keys to run commands remotely, disconnect virtual drives, lock files on other computers, and disable recovery options. After locking the files, it left ransom notes on desktops, changed settings to show ransom messages when computers started up, and made sure a ransom message would pop up every time the computer rebooted.
What was said
Morphisec’s report advises healthcare organizations to tighten RDP configurations by enabling multi-factor authentication, monitoring for forensic tampering attempts, and ensuring secure offline backups of critical data. The report also provides detailed indicators of compromise (IoCs) to assist network defenders in detecting and mitigating threats.
FAQs
How does Clipper malware typically operate?
Clipper malware monitors a victim’s clipboard activity to steal sensitive information like copied passwords or cryptocurrency wallet addresses.
What makes Mimic 7.5 different from earlier ransomware strains?
Mimic 7.5 includes features that sabotage recovery efforts, such as disabling Windows Recovery environments and forcibly unmounting network drives, making restoration harder after an attack.
What are indicators of a possible ransomware infection?
Early warning signs can include unexpected system slowdowns, unauthorized account creation, changes to file extensions, and disabled security tools.
How can healthcare organizations detect Clipper malware before it escalates?
Proactive clipboard monitoring, behavioral anomaly detection, and regular endpoint scans can help spot Clipper malware activity early.
What steps should organizations take immediately after detecting a breach?
Isolate affected systems, preserve forensic evidence, disable compromised accounts, alert incident response teams, and notify regulators if sensitive data is involved.
Farah Amod
