Healthcare Industry Under Attack… Nasty Strain of Malware Resurfaces and Challenges Security Operations Team with Rapid Mutations - Attivo Networks
Attivo Networks Blogs

Healthcare Industry Under Attack… Nasty Strain of Malware Resurfaces and Challenges Security Operations Team with Rapid Mutations

[vc_row parallax=”” parallax_image=”” row_type=”row” type=”full_width” anchor=”” in_content_menu=”” content_menu_title=”” content_menu_icon=”” text_align=”left” video=”” video_overlay=”” video_overlay_image=”” video_webm=”” video_mp4=”” video_ogv=”” video_image=”” background_image=”” section_height=”” background_color=”” border_color=”” padding=”” padding_top=”” padding_bottom=”” more_button_label=”” less_button_label=”” button_position=”” color=”” css_animation=”” transition_delay=””][vc_column width=”1/1″][vc_column_text]Attivo Networks has worked closely with many healthcare organizations over the last year to add inside-the-network detection for when prevention systems have failed. This blog takes a closer look at what organizations are finding and what healthcare security operations teams can do to better defend their companies from these ever evolving variants of malware.

Case Study

Customer: Regional Healthcare Provider


The security operations team had detected a particularly nasty strain of malware. They had been able to isolate the malware, but due to its ever-changing nature, were having trouble containing it and identifying new infections.


They were able to utilize the Attivo Deception Platform to gather much needed forensic intelligence on the fast changing malware by loading it into the BOTsink engagement server and intentionally infecting it to determine how it was behaving.

Attivo Value:

  • Provided a safe quarantined environment to watch the malware develop.
  • Including analysis of auto-replication and updating of prevention systems with C&C addresses to prevent data exfiltration
  • They were able to watch the malware laterally propagate within the BOTSink and infect the other Windows ES
  • Malware proven to be QAKBOT distributed via the RIG Exploit Kit.
  • YaraRule and Virus Total Reports for threat intelligence sharing
  • Important Note: Attivo has seen this impact other Attivo customers, confirming that this is not an isolated incident and that this strain of malware appears to be targeting healthcare




This organization had best-in-class prevention system. Why were they not able to prevent and quickly remediate this attack without Attivo?

  • New malware strain was unable to be detected by signature-based systems
  • While moving laterally the malware changed itself a number of times
  • The web exploits utilized legitimate looking java scripts and bypassed other security prevention systems.

Additional Resources:


Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Leave a Comment

Your email address will not be published. Required fields are marked *

3 − 3 =

Ready to find out what’s lurking in your network?

Scroll to Top