Back to Intelligence

ChipSoft Ransomware Incident: Detection and Defense for Healthcare HIS Environments

SA
Security Arsenal Team
April 9, 2026
6 min read

A critical encryption-based cyber incident has targeted ChipSoft, a prominent Dutch healthcare IT solutions provider. This attack has forced the company to take its website and digital services offline, disrupting access for patients and healthcare providers relying on its Hospital Information System (HIS). For defenders in the healthcare sector, this event highlights the fragility of the software supply chain and the catastrophic impact of ransomware on clinical operations. We must assume that threat actors are actively probing similar healthcare vendors for gaps in perimeter defenses, identity management, and endpoint security. Immediate action is required to detect signs of encryption activity and secure the integrity of electronic health records (EHR).

Technical Analysis

While the specific malware family has not been publicly disclosed at this writing, the incident is characterized as an "encryption-based cyber incident," which strongly implies a ransomware deployment targeting the core infrastructure hosting ChipSoft solutions.

  • Affected Ecosystem: ChipSoft provides HIS software (ZIS) widely used in Dutch hospitals. The attack likely targeted Windows Server environments hosting the application backend, databases (SQL), and web front-ends.
  • Attack Vector: In similar healthcare vendor compromises, initial access is frequently achieved via:
    • Exploitation of public-facing vulnerabilities in VPNs or remote access services.
    • Phishing credentials for privileged accounts.
    • Supply chain lateral movement from a less secure partner network.
  • Mechanism of Impact: The attacker deployed encryption routines to lock data files and potentially virtual machines. The "forced offline" status suggests either a proactive shutdown by ChipSoft to prevent lateral movement, or a successful encryption of the boot/system partitions rendering services inoperable.
  • Exploitation Status: Active exploitation confirmed. Ransomware operators often utilize legitimate system administration tools (like vssadmin, wbadmin, and BitLocker) to disable recovery and encrypt data, making detection based solely on malware signatures insufficient.

Detection & Response

Given the active nature of this threat and the high value of healthcare data, SOC teams must hunt for the precursors to encryption—specifically the manipulation of Volume Shadow Copies and mass file modifications. The following detection rules focus on the high-fidelity TTPs associated with ransomware execution in Windows environments.

YAML
---
title: Potential Ransomware Activity - VSS Shadow Copy Deletion
id: 8a2b3c4d-5e6f-7g8h-9i0j-1k2l3m4n5o6p
status: experimental
description: Detects attempts to delete Volume Shadow Copies using vssadmin.exe, a common precursor to ransomware encryption to prevent recovery.
references:
  - https://attack.mitre.org/techniques/T1490/
author: Security Arsenal
date: 2024/05/24
tags:
  - attack.impact
  - attack.t1490
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\vssadmin.exe'
    CommandLine|contains:
      - 'delete shadows'
      - 'resize shadowstorage'
  condition: selection
falsepositives:
  - System administrators manually managing shadow storage (rare in automated runs)
level: high
---
title: Potential Ransomware Activity - Mass Encryption via Cipher
id: 9b3c4d5e-6f7g-8h9i-0j1k-2l3m4n5o6p7q
status: experimental
description: Detects the use of cipher.exe to overwrite data on disk, a technique used by some ransomware strains to ensure data cannot be recovered.
references:
  - https://attack.mitre.org/techniques/T1485/
author: Security Arsenal
date: 2024/05/24
tags:
  - attack.impact
  - attack.t1485
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\cipher.exe'
    CommandLine|contains: '/w'
  condition: selection
falsepositives:
  - Legitimate disk wiping operations by IT staff
level: high
---
title: Healthcare Service Disruption - Unexpected Service Stop
id: 1c2d3e4f-5g6h-7i8j-9k0l-1m2n3o4p5q6r
status: experimental
description: Detects unexpected stopping of critical database or web services often associated with ransomware preparation or encryption locks.
references:
  - https://attack.mitre.org/techniques/T1489/
author: Security Arsenal
date: 2024/05/24
tags:
  - attack.impact
  - attack.t1489
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\net.exe'
      - '\net1.exe'
      - '\sc.exe'
    CommandLine|contains:
      - 'stop'
      - 'pause'
  filter_services:
    CommandLine|contains:
      - 'MSSQL$'
      - 'MySQL'
      - 'IISADMIN'
      - 'w3svc'
  condition: selection and filter_services
falsepositives:
  - Authorized maintenance windows
level: medium

The following KQL query for Microsoft Sentinel helps identify these specific malicious behaviors across your environment.

KQL — Microsoft Sentinel / Defender
// Hunt for VSS Shadow Copy Deletion and Service Stops
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (FileName in~ ("vssadmin.exe", "cipher.exe") or ProcessCommandLine has_any ("delete shadows", "/w", "/resize"))
    or (FileName in~ ("net.exe", "sc.exe") and ProcessCommandLine has_any ("stop", "pause") and ProcessCommandLine has_any ("MSSQL", "MySQL", "IIS"))
| extend HostName = DeviceName
| project Timestamp, HostName, InitiatingProcessAccountName, FileName, ProcessCommandLine, FolderPath
| order by Timestamp desc

For endpoint forensics, this Velociraptor VQL artifact hunts for processes attempting to manipulate system backups or known ransomware executables.

VQL — Velociraptor
-- Hunt for ransomware precursor activity
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ 'vssadmin.exe'
   OR Name =~ 'cipher.exe'
   OR Name =~ 'wbadmin.exe'
   OR CommandLine =~ 'delete shadows'
   OR CommandLine =~ '/w'

Finally, use this PowerShell script to verify the health of Volume Shadow Copies and identify if critical services are in a stopped state on servers hosting healthcare applications.

PowerShell
# Audit VSS Health and Critical Services
Write-Host "[+] Checking VSS Shadow Copy Availability..."
$vssStatus = vssadmin list shadows
if ($vssStatus -match "No shadow copies found") {
    Write-Host "[WARNING] No shadow copies found. Potential ransomware activity or misconfiguration." -ForegroundColor Red
} else {
    Write-Host "[INFO] Shadow copies exist." -ForegroundColor Green
}

Write-Host "[+] Checking Status of Critical Healthcare Services..."
$services = @('MSSQLSERVER', 'MySQL', 'W3SVC')
foreach ($svc in $services) {
    $serviceObj = Get-Service -Name $svc -ErrorAction SilentlyContinue
    if ($serviceObj) {
        if ($serviceObj.Status -ne 'Running') {
            Write-Host "[WARNING] Service $svc is in a $($serviceObj.Status) state." -ForegroundColor Red
        } else {
            Write-Host "[INFO] Service $svc is Running." -ForegroundColor Green
        }
    }
}

Remediation

Immediate containment and recovery are critical in response to the ChipSoft incident and similar threats.

  1. Isolate Affected Systems: If a device exhibits encryption behavior (e.g., rapid file renaming or VSS deletion), disconnect it from the network immediately but do not shut it down to preserve memory artifacts for forensic analysis.
  2. Vendor Advisory Review: Monitor official communications from ChipSoft and your national Computer Emergency Response Team (CERT) for specific Indicators of Compromise (IOCs) related to this campaign. Update firewall rules to block known malicious IPs associated with the ransomware group.
  3. Patch and Hardening: Ensure all VPN gateways, remote desktop services, and external-facing web applications are patched with the latest security updates. Enforce Multi-Factor Authentication (MFA) for all remote access and privileged accounts to prevent credential stuffing.
  4. Backup Validation: Verify that recent backups of HIS databases and patient records are intact and accessible offline. Ensure backups are immutable or stored in a location that cannot be deleted or encrypted by a compromised domain admin account.
  5. Service Recovery: After cleaning the environment, restore services from clean backups. Prioritize the restoration of authentication services (AD/LDAP) and database back-ends before bringing patient-facing web portals online to prevent data corruption.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcarehipaaransomwarechipsoftincident-responsehis-security

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action