Red Canary: Thwarts Ransomware From Early Signs of Malicious PowerShell

In June 2024, Red Canary intervened to prevent a ransomware attack targeting a major city hospital, marking a critical win for cybersecurity in healthcare. According to Red Canary's principal information security specialist, Brian Donohue, the attack was detected late on a Sunday evening, originating from an encoded PowerShell command spawned from a webshell on a Microsoft Exchange server. The investigation, which began by identifying this critical activity, helped avert a security incident and any impact on patient care.

The initial detection was triggered by suspicious PowerShell activity linked to a webshell on the hospital’s Exchange server. Detailed analysis by Red Canary revealed that the webshell, executed by the parent process w3wp.exe, was used to run encoded PowerShell commands. The attackers moved quickly, "within minutes," having exploited a compromised Microsoft Azure administrative account to move laterally across internal servers. Utilizing PowerShell, efforts were made to disable Windows Defender. Further encoded PowerShell commands were used to install beacons, enabling the use of Cobalt Strike for command and control (C2) operations.

Red Canary assessed that the series of events suggested the attackers were preparing for a ransomware attack while attempting to exfiltrate sensitive data, potentially to leverage as part of a double extortion scheme. Monitoring for suspicious signs of malicious activities, such as the use of the IIS Worker process to spawn an unexpected and encoded PowerShell command, along with the disabling of Windows Defender, were standouts in Red Canary's investigation, enabling the prevention of a serious security incident at the hospital.