Ransomware attacks have become a relentless threat to the healthcare sector, exposing sensitive patient data, disrupting life-saving treatments, and placing lives at risk. With healthcare systems underfunded and critical infrastructure vulnerable, cybercriminals find this sector an easy and lucrative target. 

In recent years, ransomware attacks have not only caused financial losses but have also shaken public trust in healthcare organizations. Hospitals, medical service providers, and even blood donation centers have been hit, leaving a trail of chaos. 

This article highlights how healthcare organizations can benefit from ANY.RUN‘s Interactive Sandbox and Threat Intelligence Lookup to identify, investigate, and analyze ransomware attacks, using a real-world case study of the Interlock ransomware group. 

The Impact of Ransomware on Healthcare 

Before we dive deeper into how ANY.RUN helps counter such threats, let’s examine how devastating ransomware attacks can be across the healthcare sector. 

What’s at stake? 

• Loss of patient trust: Exposed personal and health information undermines confidence in healthcare providers. 

• Operational disruption: Hospitals and medical facilities are forced to halt services, delaying critical treatments. 

• Financial strain: Organizations face ransom demands, legal fees, and recovery costs, compounding the impact. 

Why Healthcare Is a Prime Target 

1. Sensitive data: Patient records are incredibly valuable on the black market. Ransomware groups exploit this by encrypting data and demanding payments for decryption. 

2. Critical infrastructure: Many healthcare systems cannot afford prolonged downtime due to their role in patient care. 

3. Underfunded cybersecurity: Many healthcare providers operate on tight budgets, often prioritizing patient services over robust IT defenses. 

4. Slow detection: A common issue is the inability to identify and respond to attacks in their early stages, which allows ransomware to spread undetected. 

Interlock Group: Active Ransomware Threat to Healthcare 

Interlock is a ransomware actor that engages in double-extortion. 

In late 2024, the Interlock ransomware group launched targeted attacks against multiple healthcare facilities in the United States, causing significant disruptions and exposing sensitive patient data: 

• Brockton Neighborhood Health Center: Breached on October 20, 2024, undetected until December 17, 2024. 

• Legacy Treatment Services: Attack detected on October 26, 2024. 

• Drug and Alcohol Treatment Service: Breach discovered on October 24, 2024. 

How ANY.RUN Helps at Different Stages of Interlock Attacks

ANY.RUN provides healthcare organizations with proactive tools to analyze and investigate ransomware attacks at various stages. 

Let’s discover how by having a look at the Interlock ransomware group. The stages of the attack are taken from one of the most detailed reports on the threat from Talos, released on January 14, 2025. 

1. Initial Compromise (TA0001) 

At this stage, the Interlock ransomware group uses the Drive-by Compromise technique to gain access to the victim’s infrastructure. 

Drive-by Compromise: How It Happened 

The Interlock ransomware group either compromised or newly registered a phishing website, as evidenced by recent registration data in Whois. This phishing site was designed to appear as a news feed, complete with links for downloading software. Unwary users visiting the site were tricked into downloading malicious files. 

Here is how ANY.RUN’s Threat Intelligence Lookup could be used by analysts at this stage of the attack. 

Early Detection of Malicious Domains 

By querying the domain apple-online.shop, ANY.RUN found that users first flagged and analyzed the website on September 6, 2024, almost a month before public mentions of the group appeared in this report.

This means ANY.RUN detected suspicious activity nearly two months before the Talos report was published. 

Thanks to ANY.RUN’s access to public samples of the latest cyber threats from around the world, users of TI Lookup were able to identify Interlock’s domain as malicious before public reports. With such early detection, healthcare organizations can take preventative measures long before public alerts are raised. 

Understanding Website Content 

With the help of ANY.RUN’s Interactive Sandbox, you can view how the malicious website looked like and what content was used to deceive users. By analyzing such sites, healthcare organizations can train employees to recognize and avoid similar threats in the future. 

View analysis session 

The virtual machine allows anyone to see the behavior of this threat and interact with it in real time. 

Expanding on Known Threat Information 

ANY.RUN’s data can also enrich users’ existing knowledge of the attack.  

While reports stated that the attackers used malware disguised as a Google Chrome updater, ANY.RUN uncovered additional tactics, such as mimicking MSTeams and MicrosoftEdge updates (evident in filenames like MSTeamsSetup.exe and MicrosoftEdgeSetup.exe). 

This shows that by identifying alternative disguises used for malware, ANY.RUN equips organizations to anticipate a broader range of file disguises utilized by Interlock. 

IOCs and File Analysis 

Reports mentioned a specific file named upd_2327991.exe used in the attack. ANY.RUN’s database reveals additional files with similar naming conventions, such as: 

• upd_8816295.exe 

• upd_1416836.exe 

This suggests that the attackers generated file names using random alphanumeric patterns. Each file had distinct hash values (SHA256), which serve as unique Indicators of Compromise (IOCs): 

• 8d911ef72bdb4ec5b99b7548c0c89ffc8639068834a5e2b684c9d78504550927 

• 97105ed172e5202bc219d99980ebbd01c3dfd7cd5f5ac29ca96c5a09caa8af67 

The analysis showed that with the help of ANY.RUN’s TI Lookup and Interactive Sandbox, healthcare organizations facing Interlock ransomware attacks could: 

• Discover the Start Date of Attacks: Get information about the first activities of the attacking group, which often happen before public reports.  

• Study the Attacker’s Setup: Identify the domains, IP addresses, and other parts of the attacker’s setup to learn more about their tactics and methods.  

• Improve Detection Systems: Collect additional IOCs to configure defensive mechanisms and improve attack detection. 

2. TA0002: Execution

Once attackers gain initial access, the Execution phase begins. This stage involves deploying malicious payloads or executing harmful commands on the compromised device. In the Interlock ransomware attacks, users unknowingly launch a fake updater file, triggering the execution of malware and allowing attackers to establish control over the victim’s system. 

How Interlock Group Executes Their Attacks

The reports revealed that the attackers leveraged Remote Access Tools (RATs), which provided them with full control of the infected machine. By disguising these RATs as legitimate software, such as Chrome, MSTeams, or Microsoft Edge updaters, the attackers ensured that their actions remained unnoticed until significant damage was done. 

Detecting Encrypted URLs in Fake Updaters

With ANY.RUN Sandbox, analysts could uncover that the fake-updater contained encrypted URLs used to communicate with the attackers’ infrastructure. For example, the xor-url tag in ANY.RUN revealed hidden URLs within the malware’s configuration files. 

View analysis session 

By clicking on the CFG (Configuration) option in the sandbox, analysts can view decrypted URLs. These insights provide actionable intelligence about the malware’s communication methods and help identify similar patterns in future attacks. 

Using YARA Search to Find More Samples

ANY.RUN’s YARA Search functionality allowed researchers to create a rule for detecting RAT samples linked to the attack.  

Here’s an example of a YARA rule tailored for identifying Interlock’s disguised RAT samples: 

rule Interlock_RAT {  

    strings:  

        $ = "/MSTeamsSetup.exe\" xor  

        $ = "/ChromeSetup.exe\" xor  

        $ = "/MicrosoftEdgeSetup.exe\" xor  

    condition:  

        any of them  

} 

This YARA rule uncovered over 44 new malicious files, each representing a new indicator.

These IOCs can be added to detection systems, expanding the scope of protection. 

Discovering Additional IOCs 

In addition to detecting malicious files, ANY.RUN’s sandbox session revealed network IOCs such as URLs and IP addresses that previously were not covered in other reports. 

The URL shown above was not included in the detailed report from Talos.  

Had the organizations encountering this URL and payload used ANY.RUN’s Interactive Sandbox, they would be able to run the RAT in a safe virtual environment and see its malicious nature. This could have prevented them from detonating the payload on their own systems. 

During Execution, ANY.RUN helps users: 

• Discover IOCs: Find additional file and network IoCs, including those found in configurations. 

• Find Unknown Threats: Discover previously unknown threats. 

• Analyze Threats: Safely explore suspicious URLs and detonate payloads. 

3. TA0006: Credential Access 

Once attackers gain the ability to execute commands on a compromised system, their next move often involves stealing access credentials. In the Interlock ransomware attack, the group employed a custom stealer tool to gather and exfiltrate these credentials. 

How Credential Stealing Works in This Attack

• The attackers’ stealer was designed to collect sensitive data, including usernames, passwords, and other access credentials. 

• According to vendor reports, the stolen data was stored in a file named “chrgetpdsi.txt.” This file served as a repository for harvested credentials before exfiltration. 

Let’s use TI Lookup to find more information on the stealer:  

As a result, we see that the Stealer had been detected by ANY.RUN as early as August 2024, well before users began investigating the compromised domain. 

Early detection of malicious tools like this Stealer provides security teams with actionable intelligence to defend against evolving threats. 

4. TA0008: Lateral Movement 

At the Lateral Movement phase, attackers aim to spread across the network, gaining access to additional systems and resources.  

The Interlock ransomware group moved laterally within networks using legitimate remote administration tools like Putty, Anydesk, and RDP. These tools are often abused by attackers to access additional systems undetected. 

The ANY.RUN Sandbox excels at identifying the presence of these tools when they are abused for malicious purposes.

By executing suspicious files in a controlled environment, ANY.RUN can: 

• Detect the execution of Putty, Anydesk, or RDP-related activities. 

• Provide detailed insights into how these tools are being used by attackers. 

5. TA0010: Data Exfiltration 

In the Data Exfiltration phase, attackers transfer stolen data out of the victim’s network. The Interlock ransomware group used Azure cloud storage to exfiltrate data. 

Inside the ANY.RUN sandbox, you can see the system configuration data being sent to a Command and Control (C2) server via the RAT. 

ANY.RUN captures data sent by the RAT to attacker-controlled servers. For this example, logs revealed information sent to IP 217[.]148[.]142[.]19 over port 443: 

Using tools like CyberChef, we can decrypt the logged traffic (e.g., XOR-encrypted data) to identify what attackers exfiltrated. 

Thus, during the Data Exfiltration phase, ANY.RUN Sandbox logs traffic sent to external systems, allowing analysts to identify exactly what data is being transmitted to the attacker’s server. 

ANY.RUN’s Key Benefits for Healthcare Organizations

ANY.RUN empowers healthcare organizations with fast, safe, and effective tools to investigate and analyze cyber threats: 

• Pin malicious indicators to actual threats to gain a better understanding of the risks your organization is facing.  
• Receive in-depth reports with IOCs, TTPs, and malware behavior summaries. 
• Simplify and speed up threat analysis for SOC team members at all levels, saving time and increasing productivity.
• Accelerate the alert triage process and reduce the workload through fast operation speeds, a user-friendly interface, and smart automation.
• Safely examine sensitive data in a private mode, ensuring compliance with cybersecurity and data protection requirements.
• Gain access to detailed insights into malware’s behavior and better understand threats to streamline incident response.
• Collaborate with team members, share results, and coordinate efforts efficiently during incident handling.
• Optimize the cost of responding to incidents by accessing detailed data with ANY.RUN’s interactive analysis, which helps in developing new detection and protection methods.

Conclusion 

ANY.RUN can be an invaluable tool at various stages of ransomware attacks. During incident investigations, TI Lookup can provide critical data on the threat at hand. Running malware in the ANY.RUN Sandbox before executing it on a local machine allows for a proactive identification of the threat and thorough analysis of its behavior.

By combining ANY.RUN’s tools, healthcare organizations can not only enhance the understanding of the threats’ capabilities but also ensure that they are identified and mitigated effectively. 

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Request free trial of ANY.RUN’s services → 

The post How ANY.RUN Helps Healthcare Organizations Against Ransomware: Interlock Case Study appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

• Cisco Talos discovered an ongoing malicious campaign operated by a financially motivated threat actor since as early as July 2024 targeting users, predominantly in Poland and Germany, based on the phishing email language. 
• The actor has delivered different payloads, including Agent Tesla, Snake Keylogger, and a new undocumented backdoor we are calling TorNet, dropped by PureCrypter malware.  
• The actor is running a Windows scheduled task on victim machines—including on endpoints with a low battery—to achieve persistence.  
• The actor also disconnects the victim machine from the network before dropping the payload and then connects it back to the network, allowing them to evade detection by cloud antimalware solutions.  
• We also found that the actor connects the victim’s machine to the TOR network using the TorNet backdoor for stealthy command and control (C2) communications and detection evasion. 

The campaign 

The intrusions start with a phishing email as the initial infection vector. The actor is impersonating financial institutions and manufacturing and logistics companies by sending fake money transfer confirmations and fake order receipts, respectively. The phishing emails are predominantly written in Polish and German, indicating actor’s intent to primarily target users in those countries. We also found some phishing email samples from the same campaign written in English. We assess with medium confidence that the actor is financially motivated, based on the phishing email themes and the filenames of the email attachments.  

The phishing email has attachments with the file extension “.tgz”, indicating that the actor has used GZIP to compress the TAR archive of the malicious attachment file to disguise the actual malicious content of the attachment and evade email detections. 

When a user opens the compressed email attachment and manually unzips it and runs a .NET loader executable, it eventually downloads encrypted PureCrypter malware from a compromised staging server. The Loader decrypts the PureCrypter malware and runs it in the system memory.  

In a few intrusions in this campaign, we found that the PureCrypter malware drops and runs the TorNet backdoor. The TorNet backdoor establishes connection to the C2 server and also connects the victim machine to the TOR network. It has the capabilities to receive and run arbitrary .NET assemblies in the victim machine’s memory, downloaded from the C2 server, increasing the attack surface for further intrusions. 

.NET loader implants PureCrypter 

Talos found that the compressed attachment files contain a large .NET executable file. The actor has instrumented the .NET executable to either download the next-stage malicious executables from a remote staging server or to reflectively load an embedded malicious binary.  

Some of the loader samples we analyzed in this campaign download the AES-encrypted binary of the PureCrypter malware hosted on compromised websites in paths “/filescontentgalleries/pictorialcoversoffiles/” and “/post-postlogin/” using a hardcoded URL. The encrypted PureCrypter binaries were stored with the arbitrary filenames using different file extensions, including .pdf, .dat, .wav, .vdf, .mp3 and .mp4. The loader decrypts the PureCrypter binary and loads reflectively. 

In a few other loader samples, we found that the encrypted PureCrypter sample was embedded in the loader, which is decrypted using the AES algorithm and reflectively loaded into the victim machine’s memory.  

PureCrypter drops the TorNet backdoor 

The PureCrypter malware found in this intrusion is a Windows dynamic-link library obfuscated with Eziriz’s .NET Reactor obfuscator. It has resources of encrypted binaries of legitimate DLLs, including Protobuf-net and Microsoft task scheduler DLL along with the TorNet backdoor.  

PureCrypter initially creates a mutex on the victim machine and executes the command to release the currently assigned DHCP IP address of the victim machine, establishes persistence, performs various anti-analysis and detections tasks, drops and runs the payload, and finally executes a command to renew the IP address of the victim machine.  

Cmd /c ipconfig /release 
Cmd /c ipconfig /renew 

The threat actor is likely using this technique to evade detections from the cloud-based anti-malware programs by disconnecting the victim machine from the network and connects back to the network after dropping and running the backdoor.  

The PureCrypter malware performs various anti-debugger, anti-analysis, anti-VM, and anti-malware checks on the victim machine as described below: 

• It checks if the process is debugged using the function “CheckRemoteDebuggerPresent”. 
• It checks for the Sandboxie and Cuckoo sandbox environments by enumerating processes to look for “sbieDLL.dll” and “cuckoomon.dll”. 
• It checks if the DLL is running in the virtual environment by executing the WMI queries and searches for the strings “VMware”, “VIRTUAL”, “AMI”, and “Xen”.  

Select * from Win32_BIOS 
Select * from Win32_ComputerSystem 

• It also checks if the process running is associated with “vmGuestLib.dll” to detect the VMWare environment. 
• It checks if the victim machine username is “john” or “anna” or “xxxxxxxx”.  
• It checks for the strings “amsi.dll” and “amsiscanbuffer” in the running processes modules of the victim machine.  
• It checks if the Event Tracing for Windows (ETW) is configured for the victim machine by attempting to check if any processes point to the function “EtwEventWrite” of “ntdll.dll”.  
• It modifies the Windows Defender settings by executing the PowerShell commands to add its process and the path of the dropped backdoor to the exclusion lists.

Add-MpPreference –ExclusionPath 
Add-MpPreference –ExclusionProcess 

After the evasion checks, PureCrypter decrypts the encrypted backdoor from its resource and drops it to the user profile application temporary folder with a random file name. It also decrypts another file resource using a custom string decryption algorithm, generating the arbitrary filename strings and the task name strings for the Windows Task scheduler.  

PureCrypter establishes the persistence in the Run registry key by adding the path of the loader. It also creates a Windows task using a task name gained by decrypting the strings from the resource file and executes the loader every two to four minutes with no execution time limit. The task can run if the machine switches to battery power and will not stop if it runs on a low battery power. The threat actor has instrumented this technique to possibly ensure an uninterrupted infection avoiding the victim machine operating system to deprioritize the process when a victim machine is running on low battery power mode.  

PureCrypter drops a Visual Basic script in the Windows startup folder with the instructions to load and execute the dropped backdoor. 

After establishing persistence, PureCrypter loads the dropped backdoor by accessing it through a URL scheme “file[://]<Path of the dropped backdoor>” and injects the backdoor into the .NET runtime executable process in the victim machine. The threat actor is using this technique to possibly masquerade the file access activity as a web request in the victim machine logs and to bypass detections for loading a file from suspicious file paths on the victim machine.  

Payload TorNet creates a backdoor on the victim machine 

Talos discovered a new .NET backdoor as the payload in the recent intrusions of this campaign, which we call TorNet. TorNet backdoor is also obfuscated with Eziriz’s .NET Reactor obfuscator and has hash values for the compilation time. This could be the artifact that was created when the samples were compiled in Visual Studio with the “/deterministic” parameter. When Visual Studio is configured to generate deterministic binaries, the compiled date/time field of the binaries will be replaced by a hash of the compilation options. Talos had previously seen, and reported this technique used by other threat actors to disguise the actual compilation time of the malware binaries.    

TorNet initially decodes a base64-encoded string to obtain the C2 domain, port number, and an alphanumeric string of 16 characters (5e7a81857a353068). It then performs the anti-debugging, anti-malware, anti-VM, and sandbox evasion checks similar to PureCrypter we discussed in the previous section.  

After the evasion checks, TorNet establishes a TCP socket connection to the C2 server by resolving the IP address of the C2 domain decoded from the base64-encoded string. The connection uses one of the port numbers 8194, 7890, or 8410. We observed that the C2 domains used by the backdoor were resolving to the IP address 104[.]168[.]7[.]37 during the period of our research. 

After establishing the connection to the C2 server, TorNet sends the gained string “5e7a81857a353068” by decoding the base64-encoded strings to the C2 server, creating a hexadecimal byte stream of length 20 and writes it to a memory stream by compressing it using the GzipStream function.  

HEX stream: “3A 12 12 10 35 65 37 61 38 31 38 35 37 61 33 35 33 30 36 38” 

ASCII equivalent: “:<2-byte place holder>n5e7a81857a353068” 

TorNet then generates an MD5 hash value of the string “5e7a81857a353068” and uses it as a key to encrypt the compressed 20-byte hexadecimal data stream using the triple DES algorithm. Using the Bitconverter function, TorNet splits the encrypted byte stream and sends it to the C2 server by writing it to the TCP stream through the socket.  

The C2 server may send an arbitrary encrypted .NET assembly as a response to a TorNet’s request. TorNet will decrypt the arbitrary binary and reflectively run it. During our research, we were unable to receive a response from the C2, still analyzing the TorNet binary allowed us to assess that the received response will be an arbitrary .NET assembly code, enabling the attack surface for further attack.  

TorNet also connects the victim machine to the TOR network. It downloads the TOR expert bundle from the TOR Project archive site, unpacks it and runs the “tor[.]exe” as a background process to connect to TOR.  

Once TOR is running, TorNet connects to the TOR network using the TOR SocksPort (127[.]0[.]0[.]1:9050), and with the “socket.Poll” function, it routes all traffic from the backdoor process on the victim machine through the TOR network. The threat actor is leveraging the TOR network to anonymize the C2 communication and evade detection.  

Coverage 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 64440, 64439, 64437, 64438 and 301115. 

ClamAV detections are also available for this threat: 

Win.Backdoor.TorNet-10041435-0  
Win.Downloader.TorNet-10041463-0  
Win.Malware.TorNet-10041565-0  
Win.Malware.TorNet-10041601-0  
Win.Trojan.TorNet-10041734-0 

Indicators of Compromise  

IOCs for this threat can be found in our GitHub repository here. 

Cisco Talos Blog – ​Read More