Healthcare and Defense Sectors Face Converging Cyber Threats from Ransomware Gangs and Nation-State Actors

Ransomware attacks hit record levels across all sectors, with 1,174 confirmed attacks and healthcare absorbing 22% of them [5]. Meanwhile, nation-state actors from China, Russia, Iran, and North Korea are running simultaneous campaigns against the defense industrial base, using everything from fake job portals to weaponized AI reconnaissance [7][8]. The Verizon 2025 Data Breach Investigations Report, covering incidents from November 2023 through October 2024, found ransomware present in 44% of all breaches, with ransomware attacks rising 37% year over year, while third-party involvement in breaches doubled from 15% to 30% [1][3].

These two sectors represent opposite ends of the attacker motivation spectrum: healthcare gets hit for money, defense gets hit for secrets. But both are losing ground. And both share a common structural weakness: sprawling third-party ecosystems that attackers are exploiting with increasing precision.

Healthcare: Record Ransomware, Massive Data Exposure

Healthcare was the worst-affected sector for ransomware, accounting for 22% of confirmed attacks [5]. The numbers from recent major incidents are staggering. The UnitedHealth Group/Change Healthcare attack, carried out by the Russian ransomware group Blackcat/ALPHV, resulted in 192.7 million Americans' health records being stolen [6]. The Yale New Haven Health System breach in March 2025 affected 5.56 million individuals [4]. The EpiSource ransomware attack compromised 5.42 million individuals [4]. DaVita was hit by the Interlock ransomware group, impacting 2.69 million individuals [4].

By the end of 2024, 259 million Americans' protected health information had been reported as hacked [6]. That's roughly 78% of the U.S. population.

Black Fog's analysis found that 96% of ransomware attacks now involve data theft, not just encryption [5]. The old model of "pay to decrypt" has been replaced by double extortion as standard practice. Interlock, which emerged in September 2024, targets businesses and critical infrastructure in North America and Europe using this exact model: encrypt and exfiltrate [11]. ALPHV Blackcat, responsible for the Change Healthcare catastrophe, had compromised over 1,000 entities by September 2023 and pivoted hard toward healthcare starting in mid-December 2023 [12].

A newer group called PEAR emerged in 2025 and has abandoned encryption entirely, focusing exclusively on data theft and extortion, with healthcare organizations among its primary victims [5].

The Third-Party Problem

The structural issue for healthcare isn't just perimeter defense. Over 80% of stolen protected health information records were taken not from hospitals but from third-party vendors [6]. The Verizon DBIR confirmed this pattern across all industries: breaches involving third parties doubled to 30% [1]. Healthcare's deep reliance on billing processors, medical device vendors, electronic health record platforms, and telehealth services creates a web of trust relationships that attackers are systematically mapping and exploiting.

Initial Access Vectors

Vulnerability exploitation surged 34% to account for 20% of all breaches, with significant focus on zero-day exploits [2][3]. Credential abuse held steady at 22% of breaches [2]. Phishing remained the third most common vector at 16% [2]. For healthcare specifically, the DBIR documented an alarming rise in espionage-motivated attacks alongside the financial crime [3][13].

ALPHV Blackcat affiliates used advanced social engineering techniques and open-source research on target companies to gain initial access [12]. Their toolkit included Brute Ratel C4 and Cobalt Strike as command-and-control beacons, Evilginx2 for adversary-in-the-middle attacks, and legitimate tools like AnyDesk, Splashtop, and Ngrok for persistence and tunneling [12].

Defense Industrial Base: Nation-States on the Offensive

Four nation-states are running parallel campaigns against defense contractors, each with distinct targeting priorities and tradecraft.

China

China-linked threat groups conducted at least two campaigns in early 2025 targeting aerospace and defense employees [7]. Salt Typhoon, one of China's most capable groups, compromised nine U.S. telecommunications companies including Verizon, AT&T, T-Mobile, Spectrum, and Lumen [9]. The campaign ran for one to two years before discovery in September 2024 [9]. Hackers accessed metadata of over a million users' calls and text messages, mostly in the Washington D.C. metro area, and targeted phones belonging to high-profile individuals including Donald Trump and JD Vance [9]. The U.S. Treasury sanctioned Sichuan Juxinhe Network Technology Co., LTD. for direct involvement with Salt Typhoon (U.S. Department of the Treasury, January 17, 2025).

Separately, PRC state-sponsored actors deployed BRICKSTORM, a sophisticated backdoor targeting VMware vSphere platforms and Windows environments, primarily against government services and IT sectors for long-term persistence [14].

Russia

UNC5976 launched a phishing campaign starting in January 2025 that delivered malicious RDP connection files to defense targets [8]. UNC6096 ran malware delivery operations via WhatsApp, using Delta battlefield management platform themes as lures, and deployed GALLGRAB, a modified version of the publicly available Android Gallery Stealer [8].

Iran

Iran-linked groups UNC1549 and UNC6446 have been using spoofed job portals and fake job offers since at least 2022 to target defense personnel [8]. UNC1549 deployed CRASHPAD, a custom tool for credential theft [8]. The use of malicious resume-builder applications added another social engineering angle to their operations [7].

North Korea

APT43 mimicked German and U.S. companies related to defense to steal credentials and install the THINWAVE backdoor [7]. UNC2970 consistently focused on defense targeting and cybersecurity companies, and notably used Google's Gemini AI to conduct reconnaissance on potential targets [8]. APT45 deployed SMALLTIGER malware against South Korean defense, semiconductor, and automotive manufacturing targets [7].

Edge Device Exploitation

All of these nation-state groups share one reliable tactic: going after edge devices. In 2025, 14 vendors typically associated with edge devices had 26 vulnerabilities exploited by attackers [7]. As one researcher noted, edge exploitation has become "a repeatable and reliable initial access vector" [7].

IOC Table

MITRE ATT&CK Techniques

Detection and Hunting

Ransomware Precursors in Healthcare Environments:

• Monitor for deployment of dual-use tools: AnyDesk, Splashtop, Ngrok, Plink, and Mega sync are all legitimate software that ALPHV and Interlock affiliates use for persistence and exfiltration [11][12]. Alert on first-time installations of these tools on servers and workstations.
• Hunt for Cobalt Strike and Brute Ratel C4 beacons in network traffic. Both produce identifiable patterns in HTTP/HTTPS traffic that commercial EDR and NDR solutions can flag.
• Watch for large outbound data transfers to Mega.nz and Dropbox, particularly from systems that store patient data or financial records [12].

Nation-State Indicators in Defense Networks:

• UNC5976's January 2025 campaign used malicious .rdp files delivered via phishing [8]. Hunt for .rdp file attachments in email logs and monitor for unexpected outbound RDP connections.
• APT43's THINWAVE backdoor was delivered through infrastructure mimicking German and U.S. defense companies [7]. Review DNS logs for recently registered domains that closely resemble known defense contractors or partners.
• BRICKSTORM targets VMware vSphere environments [14]. Monitor vCenter logs for unusual web shell activity, new service accounts, or unexpected administrative API calls.
• UNC2970 used Google Gemini for target reconnaissance [8]. While this is hard to detect on the defender side, it signals that social engineering attempts will be highly tailored. Brief employees on highly specific, personalized phishing attempts referencing real projects or colleagues.

Third-Party Risk Monitoring:

• Given that 80% of healthcare PHI theft came from third-party vendors [6] and third-party breaches doubled across all sectors [1], implement continuous monitoring of vendor connections. Alert on any third-party VPN or API credential usage outside normal business hours.

Analysis

The convergence of financial and espionage motivations in healthcare marks a significant shift. The DBIR found that espionage-motivated breaches now account for 17% of all cases, with healthcare and the public sector most affected [13]. This likely reflects nation-state actors recognizing that health data has intelligence value: genetic information, health records of government employees and military personnel, and pharmaceutical research data all serve strategic purposes.

The defense industrial base faces a different calculus. Four nation-states are running persistent, overlapping campaigns. The sophistication gap between these actors is narrowing. North Korea's UNC2970 using Gemini AI for reconnaissance [8] shows that even resource-constrained adversaries can punch above their weight with commercial AI tools.

The doubling of third-party breaches to 30% [1] is particularly concerning for both sectors. Healthcare's vendor ecosystem and defense's multi-tier supply chain both create attack surfaces that individual organizations can't fully control. The Change Healthcare incident, where a single vendor compromise exposed 192.7 million records [6], demonstrated the catastrophic potential of supply chain attacks in healthcare.

On the positive side: 64% of ransomware victims now refuse to pay, up from 50% two years ago [3]. The median ransom payment dropped to $115,000 [3]. Ransomware is becoming less profitable per attack, which likely explains why groups like PEAR are abandoning encryption entirely in favor of pure data extortion [5].

References

1. 2025 Data Breach Investigations Report | Verizon
2. Verizon DBIR: Surge in Vulnerability Exploitation and Healthcare Espionage Breaches | HIPAA Journal
3. Verizon's 2025 Data Breach Investigations Report: Alarming surge in cyberattacks through third-parties
4. Largest Healthcare Data Breaches of 2025 | HIPAA Journal
5. 2025 Healthcare Data Breach Report | HIPAA Journal
6. 2025 Cybersecurity Year in Review, Part One: Breaches and Defensive Measures | AHA
7. Nation-State Hackers Put Defense Industrial Base Under Siege | Dark Reading
8. Threats to the Defense Industrial Base | Google Cloud Blog
9. Salt Typhoon | Wikipedia
10. MITRE ATT&CK Full Guide for SOC & DFIR | CyberDefenders
11. #StopRansomware: Interlock | CISA
12. #StopRansomware: ALPHV Blackcat | CISA
13. Verizon 2025 DBIR: 10 Takeaways You Should Know | SOCRadar
14. Malware Analysis Report: BRICKSTORM Backdoor | U.S. Department of Defense

Hunt Guide: Hunt Report: Converging Ransomware and Nation-State Threats Against Healthcare and Defense Sectors

Hypothesis: If ransomware operators (ALPHV/BlackCat, Interlock, PEAR) or nation-state actors (Salt Typhoon, APT43, APT45, UNC5976) are active in our environment, we expect to observe dual-use tool deployments, data exfiltration to cloud services, malicious RDP files, and edge device exploitation in Windows Security, Sysmon, proxy, and firewall logs.

Intelligence Summary: Healthcare faces record ransomware with 259 million Americans' PHI compromised by end of 2024, while four nation-states (China, Russia, Iran, North Korea) simultaneously target defense contractors. Both sectors share vulnerability through third-party ecosystems, with 30% of all breaches now involving third parties and 96% of ransomware attacks including data exfiltration.

Confidence: High | Priority: Critical

Scope

• Networks: All healthcare PHI processing systems, defense contractor networks, third-party vendor connections, VMware infrastructure, edge devices
• Timeframe: 90 days retrospective, continuous forward monitoring
• Priority Systems: Domain controllers, vCenter servers, file servers with PHI/CUI data, backup systems, edge devices (VPN/firewall), email gateways

MITRE ATT&CK Techniques

T1219 — Remote Access Software (Command and Control) [P1]

ALPHV/BlackCat and Interlock affiliates deploy AnyDesk, Splashtop, and Ngrok for persistent access before ransomware deployment

Splunk SPL:

index=* (process_name="anydesk.exe" OR process_name="splashtop*.exe" OR process_name="ngrok.exe" OR CommandLine="*anydesk*" OR CommandLine="*splashtop*" OR CommandLine="*ngrok*") | stats count by _time, host, user, process_name, parent_process_name, CommandLine | where count < 5

Elastic KQL:

(process.name:("anydesk.exe" OR "splashtop*.exe" OR "ngrok.exe") OR process.command_line:("*anydesk*" OR "*splashtop*" OR "*ngrok*")) AND event.action:"process_started"

Sigma Rule:

title: Suspicious Remote Access Tool Execution
id: a1b2c3d4-5678-9101-1121-314151617181
status: production
description: Detects execution of remote access tools commonly used by ransomware affiliates
references:
    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-203a
    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith:
            - '\anydesk.exe'
            - '\ngrok.exe'
        - Image|contains: '\splashtop'
        - CommandLine|contains:
            - 'anydesk'
            - 'splashtop'
            - 'ngrok'
    filter:
        - Image|startswith: 'C:\Program Files\'
        - ParentImage|endswith: '\services.exe'
    condition: selection and not filter
falsepositives:
    - Legitimate IT support activities
level: high
tags:
    - attack.command_and_control
    - attack.t1219

Monitor for first-time installations on servers and after-hours activity. Whitelist legitimate IT support patterns.

T1567.002 — Exfiltration to Cloud Storage (Exfiltration) [P1]

Ransomware groups exfiltrate data to Mega.nz and Dropbox before encryption, with 96% of attacks now including data theft

Splunk SPL:

index=proxy (dest_host="*.mega.nz" OR dest_host="*.dropbox.com" OR url="*mega.nz*" OR url="*dropbox.com*") | eval bytes_out_mb=bytes_out/1024/1024 | where bytes_out_mb > 100 | stats sum(bytes_out_mb) as total_mb by src_ip, dest_host, user | where total_mb > 1000

Elastic KQL:

(destination.domain:("mega.nz" OR "*.mega.nz" OR "dropbox.com" OR "*.dropbox.com") OR url.full:("*mega.nz*" OR "*dropbox.com*")) AND network.bytes > 104857600

Sigma Rule:

title: Large Data Transfer to Cloud Storage Services
id: b2c3d4e5-6789-0123-2233-425161718191
status: production
description: Detects large data transfers to cloud storage services commonly used for ransomware exfiltration
logsource:
    category: proxy
detection:
    selection:
        c-uri|contains:
            - 'mega.nz'
            - 'dropbox.com'
    filter_size:
        sc-bytes|gte: 104857600  # 100MB
    condition: selection and filter_size
fields:
    - c-ip
    - cs-username
    - c-uri
    - sc-bytes
falsepositives:
    - Legitimate business data backups
level: high

Alert on transfers exceeding 100MB per session or 1GB per day. Baseline normal cloud storage usage per department.

T1566.001 — Spearphishing Attachment (Initial Access) [P2]

UNC5976 delivers malicious RDP files via phishing; APT43 uses fake defense company emails with THINWAVE backdoor

Splunk SPL:

index=email attachment_name="*.rdp" | join sender_ip [search index=threat_intel | fields ip description] | stats count by recipient, sender, subject, attachment_name, attachment_hash

Elastic KQL:

event.category:email AND file.extension:"rdp" AND file.hash.sha256:*

Sigma Rule:

title: Malicious RDP File Email Attachment
id: c3d4e5f6-7890-1234-3344-526171819202
status: production
description: Detects RDP files sent as email attachments, technique used by UNC5976
logsource:
    service: email-gateway
detection:
    selection:
        attachment_name|endswith: '.rdp'
    suspicious_sender:
        - sender_domain|contains:
            - 'defense'
            - 'aerospace'
            - 'contractor'
    condition: selection or suspicious_sender
level: high

RDP files via email are extremely rare in legitimate workflows. Any detection warrants immediate investigation.

T1021.001 — Remote Desktop Protocol (Lateral Movement) [P2]

Malicious RDP connection files used by UNC5976 for initial access and lateral movement

Splunk SPL:

index=* EventCode=11 TargetFilename="*.rdp" | rex field=TargetFilename "(?<rdp_server>full address:s:(.+))" | stats count by Computer, User, TargetFilename, rdp_server | where count < 3

Elastic KQL:

event.code:11 AND file.path:"*.rdp" AND event.action:"FileCreate"

Sigma Rule:

title: Suspicious RDP File Creation
id: d4e5f6a7-8901-2345-4455-637182920313
status: production
description: Detects creation of RDP connection files in unusual locations
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 11
        TargetFilename|endswith: '.rdp'
    filter:
        - TargetFilename|startswith: 'C:\Users\\*\Desktop\\'
        - Image|endswith: '\mstsc.exe'
    condition: selection and not filter
level: medium

Focus on RDP files created outside user desktop folders or by non-mstsc.exe processes.

T1505.003 — Web Shell (Persistence) [P1]

BRICKSTORM backdoor targets VMware vSphere environments through web shell deployment

Splunk SPL:

index=vmware (sourcetype=vpxd OR sourcetype=vmware:esxlog) ("POST" OR "GET") uri_path IN ("*.jsp", "*.aspx", "*.php") status=200 | regex uri_path="(cmd|shell|upload|exec|system|eval)" | stats count by src_ip, uri_path, user_agent

Elastic KQL:

(event.dataset:"vmware.vcenter" OR event.dataset:"vmware.esxi") AND http.request.method:("POST" OR "GET") AND url.path:("*.jsp" OR "*.aspx" OR "*.php") AND http.response.status_code:200

Sigma Rule:

title: VMware vSphere Web Shell Activity
id: e5f6a7b8-9012-3456-5566-748293031424
status: production
description: Detects potential web shell activity in VMware vSphere environments targeted by BRICKSTORM
logsource:
    category: webserver
    product: vmware
detection:
    selection:
        - cs-uri-stem|contains:
            - '.jsp'
            - '.aspx'
            - '.php'
        - cs-uri-query|contains:
            - 'cmd='
            - 'shell'
            - 'exec'
    response:
        sc-status: 200
    condition: selection and response
level: critical

Any web shell activity in vSphere is critical. Check for new service accounts and API calls after detection.

T1595 — Active Scanning (Reconnaissance) [P3]

UNC2970 uses Google Gemini AI for reconnaissance on potential targets

Splunk SPL:

index=proxy (dest_host="*gemini.google.com" OR dest_host="*bard.google.com" OR url="*generativelanguage.googleapis.com*") | transaction src_ip maxspan=30m | where eventcount > 50 | stats values(url) as urls, dc(url) as unique_queries by src_ip

Elastic KQL:

destination.domain:("gemini.google.com" OR "bard.google.com" OR "generativelanguage.googleapis.com") AND event.action:"allowed"

Sigma Rule:

title: Excessive AI Platform Queries for Reconnaissance
id: f6a7b8c9-0123-4567-6677-859304142535
status: experimental
description: Detects excessive queries to AI platforms that could indicate reconnaissance activity
logsource:
    category: proxy
detection:
    selection:
        c-uri|contains:
            - 'gemini.google.com'
            - 'bard.google.com'
            - 'generativelanguage.googleapis.com'
    timeframe: 30m
    condition: selection | count() by c-ip > 50
level: medium

High-volume AI queries about your organization or employees may indicate reconnaissance. Correlate with subsequent phishing attempts.

T1190 — Exploit Public-Facing Application (Initial Access) [P1]

Edge device exploitation used by all nation-state groups with 26 vulnerabilities across 14 vendors

Splunk SPL:

index=firewall (action=allowed AND (dest_port=443 OR dest_port=8443 OR dest_port=10443)) | join src_ip [| inputlookup threat_intel_ip.csv | fields ip description] | stats count by src_ip, dest_ip, dest_port | where count > 1000

Elastic KQL:

(event.category:"network" AND destination.port:(443 OR 8443 OR 10443) AND network.direction:"inbound") AND NOT source.ip:("10.0.0.0/8" OR "172.16.0.0/12" OR "192.168.0.0/16")

Sigma Rule:

title: Suspicious Edge Device Access Pattern
id: a7b8c9d0-1234-5678-7788-960415263646
status: production
description: Detects suspicious access patterns to edge devices commonly targeted by nation-state actors
logsource:
    category: firewall
detection:
    selection:
        dst_port:
            - 443
            - 8443
            - 10443
        action: 'allow'
    suspicious_volume:
        selection
    timeframe: 1h
    condition: suspicious_volume | count() by src_ip > 1000
level: high

Monitor for high-volume connections to management interfaces. Baseline normal admin activity patterns.

T1059.001 — PowerShell (Execution) [P1]

ALPHV/BlackCat affiliates use PowerShell for post-exploitation activities

Splunk SPL:

index=* EventCode=4104 ScriptBlockText IN ("*Invoke-WebRequest*mega.nz*", "*Invoke-RestMethod*dropbox*", "*DownloadFile*", "*System.Net.WebClient*") | stats count by Computer, UserName, ScriptBlockText

Elastic KQL:

event.code:4104 AND powershell.file.script_block_text:("*Invoke-WebRequest*mega.nz*" OR "*Invoke-RestMethod*dropbox*" OR "*DownloadFile*" OR "*System.Net.WebClient*")

Sigma Rule:

title: PowerShell Data Exfiltration Activity
id: b8c9d0e1-2345-6789-8899-071526374757
status: production
description: Detects PowerShell commands used for data exfiltration to cloud storage
logsource:
    product: windows
    service: powershell
detection:
    selection:
        EventID: 4104
        ScriptBlockText|contains|all:
            - 'Invoke-WebRequest'
            - 'mega.nz'
    selection2:
        EventID: 4104
        ScriptBlockText|contains|all:
            - 'System.Net.WebClient'
            - 'UploadFile'
    condition: selection or selection2
level: high

Any PowerShell uploading data to cloud storage services warrants immediate investigation.

T1486 — Data Encrypted for Impact (Impact) [P1]

Ransomware encryption by ALPHV/BlackCat, Interlock, though PEAR group has abandoned encryption for pure extortion

Splunk SPL:

index=* EventCode=11 | bucket _time span=1m | stats dc(TargetFilename) as files_created by _time, Computer | where files_created > 100 | join Computer [search index=* EventCode=11 TargetFilename IN ("*.locked", "*.encrypted", "*.alphv", "*.blackcat", "*.interlock") | stats count]

Elastic KQL:

event.code:11 AND file.extension:("locked" OR "encrypted" OR "alphv" OR "blackcat" OR "interlock")

Sigma Rule:

title: Ransomware File Encryption Activity
id: c9d0e1f2-3456-7890-9900-182637485868
status: production
description: Detects rapid file creation with known ransomware extensions
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 11
        TargetFilename|endswith:
            - '.locked'
            - '.encrypted'
            - '.alphv'
            - '.blackcat'
            - '.interlock'
    timeframe: 1m
    condition: selection | count() > 100
level: critical

High-volume file creation with encryption extensions indicates active ransomware. Isolate system immediately.

Indicators of Compromise

IOC Sweep Queries (Splunk):

index=* (process_name="StorageExplorer*" OR CommandLine="*StorageExplorer*" OR file_name="StorageExplorer*") | stats count by host, user, file_path

index=* (process_name="AnyDesk.exe" OR file_name="AnyDesk.exe" OR CommandLine="*anydesk*") | stats count by host, user, file_hash

index=* (process_name="ngrok.exe" OR CommandLine="*ngrok*" OR file_name="ngrok*") | stats count by host, user, parent_process

index=* (process_name="plink.exe" OR CommandLine="*plink*" OR file_name="plink.exe") | stats count by host, user, CommandLine

index=* (dest_host="*mega.nz" OR url="*mega.nz*" OR query="*mega.nz*") | stats sum(bytes_out) as total_bytes by src_ip, user

index=* (dest_host="*dropbox.com" OR url="*dropbox.com*" OR query="*dropbox.com*") | stats sum(bytes_out) as total_bytes by src_ip, user

YARA Rules

ALPHV_BlackCat_Ransomware_Artifacts — Detects ALPHV/BlackCat ransomware artifacts including file extensions and ransom notes

rule ALPHV_BlackCat_Ransomware_Artifacts {
    meta:
        description = "Detects ALPHV/BlackCat ransomware artifacts"
        reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a"
        author = "Threat Hunt Team"
        date = "2025-01-20"
    strings:
        $ext1 = ".alphv" nocase
        $ext2 = ".blackcat" nocase
        $note1 = "RECOVER-FILES.txt" nocase
        $note2 = "ATTENTION! All your files are encrypted" nocase
        $note3 = "BlackCat/ALPHV" nocase
        $note4 = "Access key:" nocase
        $mutex1 = "BlackCatMutex" nocase
        $pdb1 = "blackcat.pdb" nocase
    condition:
        any of ($ext*) or (any of ($note*) and $note4) or any of ($mutex*, $pdb*)
}

Interlock_Ransomware_Indicators — Detects Interlock ransomware indicators including specific tools and artifacts

rule Interlock_Ransomware_Indicators {
    meta:
        description = "Detects Interlock ransomware tools and artifacts"
        reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-203a"
        author = "Threat Hunt Team"
        date = "2025-01-20"
    strings:
        $tool1 = "StorageExplorer" nocase
        $ext1 = ".interlock" nocase
        $note1 = "!README!.txt" nocase
        $note2 = "Your files have been encrypted by Interlock" nocase
        $cmd1 = "vssadmin delete shadows" nocase
        $cmd2 = "wbadmin delete catalog" nocase
    condition:
        $tool1 or ($ext1 and any of ($note*)) or all of ($cmd*)
}

BRICKSTORM_VMware_Backdoor — Detects BRICKSTORM backdoor targeting VMware vSphere environments

rule BRICKSTORM_VMware_Backdoor {
    meta:
        description = "Detects BRICKSTORM backdoor components in VMware environments"
        reference = "https://media.defense.gov/2025/Dec/04/2003834878/-1/-1/0/MALWARE-ANALYSIS-REPORT-BRICKSTORM-BACKDOOR.PDF"
        author = "Threat Hunt Team"
        date = "2025-01-20"
    strings:
        $str1 = "vSphere Web Client" nocase
        $str2 = "/vsphere-client/" nocase
        $jsp1 = "<%@ page import=" nocase
        $jsp2 = "Runtime.getRuntime().exec" nocase
        $api1 = "vim25/8.0" nocase
        $shell1 = "cmd.exe /c" nocase
        $shell2 = "/bin/bash -c" nocase
    condition:
        (any of ($str*) and any of ($jsp*)) or (any of ($api*) and any of ($shell*))
}

Remote_Access_Tool_Deployment — Detects deployment of dual-use remote access tools commonly abused by ransomware groups

rule Remote_Access_Tool_Deployment {
    meta:
        description = "Detects RAT tools commonly used by ransomware affiliates"
        author = "Threat Hunt Team"
        date = "2025-01-20"
    strings:
        $anydesk1 = "AnyDesk.exe" nocase
        $anydesk2 = "anydesk-id" nocase
        $splashtop1 = "SplashtopStreamer.exe" nocase
        $splashtop2 = "st-business" nocase
        $ngrok1 = "ngrok.exe" nocase
        $ngrok2 = "ngrok config" nocase
        $plink1 = "plink.exe" nocase
        $mega1 = "MEGAcmd.exe" nocase
        $mega2 = "mega-exec" nocase
    condition:
        2 of them
}

Suricata Rules

SID 2025001 — Detects potential ALPHV/BlackCat C2 communication patterns

alert tcp $HOME_NET any -> $EXTERNAL_NET [443,8443] (msg:"ET MALWARE ALPHV/BlackCat C2 Communication Pattern"; flow:established,to_server; content:"POST"; http_method; content:"/api/v1/check"; http_uri; content:"User-Agent|3a 20|"; http_header; pcre:"/User-Agent\x3a\x20[A-Za-z0-9]{32}/Hi"; classtype:trojan-activity; sid:2025001; rev:1;)

SID 2025002 — Detects data exfiltration to Mega.nz cloud storage

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY Large Data Transfer to Mega.nz Possible Exfiltration"; flow:established,to_server; content:"mega.nz"; http_host; stream_size:server,>,104857600; classtype:policy-violation; sid:2025002; rev:1;)

SID 2025003 — Detects data exfiltration to Dropbox

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY Large Data Transfer to Dropbox Possible Exfiltration"; flow:established,to_server; content:"dropbox.com"; http_host; stream_size:server,>,104857600; classtype:policy-violation; sid:2025003; rev:1;)

SID 2025004 — Detects suspicious RDP file download

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE RDP Configuration File Download"; flow:established,from_server; content:"Content-Type|3a 20|application/x-rdp"; http_header; content:".rdp"; http_header; content:"full address"; classtype:attempted-user; sid:2025004; rev:1;)

SID 2025005 — Detects potential BRICKSTORM web shell traffic

alert tcp $EXTERNAL_NET any -> $HOME_NET [443,8443,9443] (msg:"ET WEBSHELL Potential BRICKSTORM VMware vSphere Web Shell Activity"; flow:established,to_server; content:"POST"; http_method; content:"/vsphere-client/"; http_uri; pcre:"/\.(jsp|aspx|php)\?[^=]+=.*?(cmd|exec|shell|system)/Ui"; classtype:web-application-attack; sid:2025005; rev:1;)

SID 2025006 — Detects Ngrok tunneling traffic

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY Ngrok Tunneling Service Usage"; flow:established,to_server; tls_sni; content:"ngrok.io"; classtype:policy-violation; sid:2025006; rev:1;)

Data Source Requirements

Sources

• 2025 Data Breach Investigations Report | Verizon
• Verizon DBIR: Surge in Vulnerability Exploitation and Healthcare Espionage Breaches | HIPAA Journal
• Verizon's 2025 Data Breach Investigations Report: Alarming surge in cyberattacks through third-parties
• Largest Healthcare Data Breaches of 2025 | HIPAA Journal
• 2025 Healthcare Data Breach Report | HIPAA Journal
• 2025 Cybersecurity Year in Review, Part One: Breaches and Defensive Measures | AHA
• Nation-State Hackers Put Defense Industrial Base Under Siege | Dark Reading
• Threats to the Defense Industrial Base | Google Cloud Blog
• Salt Typhoon | Wikipedia
• MITRE ATT&CK Full Guide for SOC & DFIR | CyberDefenders
• #StopRansomware: Interlock | CISA
• #StopRansomware: ALPHV Blackcat | CISA
• Verizon 2025 DBIR: 10 Takeaways You Should Know | SOCRadar
• Malware Analysis Report: BRICKSTORM Backdoor | U.S. Department of Defense