The ELENOR-Corp ransomware group has recently targeted the healthcare sector with a new variant of Mimic ransomware. This version, identified as Mimic 7.5, was discovered during an investigation at a healthcare facility. The group is believed to have gained initial access using Clipper malware, a clipboard hijacker designed for credential theft. This malware likely allowed the attackers to re-enter the network and launch the ransomware attack, which also involved a cryptocurrency miner.
Once inside the environment, the attackers moved laterally across multiple servers by exploiting Remote Desktop Protocol (RDP).
Tools such as Process Hacker and IOBit Unlocker were used to compromise additional systems. The group deployed local accounts on the servers and attempted to propagate their access using a local administrator account. Other tools such as Mimikatz and NetScan were utilized for credential harvesting and network discovery, further facilitating their attack.
Mimic 7.5 features several advanced capabilities, such as bypassing system restrictions to maintain command-line access. It uses techniques like sticky keys for remote execution and forcibly unmounts virtual drives to hinder data recovery. Additionally, the ransomware encrypts network shares, destroys recovery backups, and displays a ransom note upon successful encryption.
Persistence is maintained by modifying registry keys and launching Notepad on each system reboot to show the ransom demand.
To defend against such attacks, Morphisec recommends securing RDP access with multi-factor authentication, monitoring for forensic tampering, and ensuring regular and secure offline backups. The cybersecurity firm also provided Indicators of Compromise (IoCs) to assist defenders in identifying and responding to similar threats. These measures are crucial for mitigating the risks posed by advanced ransomware campaigns like ELENOR-Corp.
