Attivo Networks Blogs

Healthcare Industry Under Attack… Nasty Strain of Malware Resurfaces and Challenges Security Operations Team with Rapid Mutations

Attivo Networks has worked closely with many healthcare organizations over the last year to add inside-the-network detection for when prevention systems have failed. This blog takes a closer look at what organizations are finding and what healthcare security operations teams can do to better defend their companies from these ever evolving variants of malware.

Case Study

Customer: Regional Healthcare Provider


The security operations team had detected a particularly nasty strain of malware. They had been able to isolate the malware, but due to its ever-changing nature, were having trouble containing it and identifying new infections.


They were able to utilize the Attivo Deception Platform to gather much needed forensic intelligence on the fast changing malware by loading it into the BOTsink engagement server and intentionally infecting it to determine how it was behaving.

Attivo Value:

  • Provided a safe quarantined environment to watch the malware develop.
  • Including analysis of auto-replication and updating of prevention systems with C&C addresses to prevent data exfiltration
  • They were able to watch the malware laterally propagate within the BOTSink and infect the other Windows ES
  • Malware proven to be QAKBOT distributed via the RIG Exploit Kit.
  • YaraRule and Virus Total Reports for threat intelligence sharing
  • Important Note: Attivo has seen this impact other Attivo customers, confirming that this is not an isolated incident and that this strain of malware appears to be targeting healthcare




This organization had best-in-class prevention system. Why were they not able to prevent and quickly remediate this attack without Attivo?

  • New malware strain was unable to be detected by signature-based systems
  • While moving laterally the malware changed itself a number of times
  • The web exploits utilized legitimate looking java scripts and bypassed other security prevention systems.

Additional Resources:

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Leave a Comment

Your email address will not be published.

seven + eleven =

Ready to find out what’s lurking in your network?

Scroll to Top