Back to Intelligence

Defending Against Encryption-Based Attacks: Lessons from the Change Healthcare Incident

SA
Security Arsenal Team
April 2, 2026
6 min read

The recent lawsuit filed by the Iowa Attorney General against Change Healthcare, UnitedHealth Group, and Optum highlights the catastrophic impact of the February 2024 ransomware attack. This incident, attributed to the ALPHV/Blackcat ransomware-as-a-service (RaaS) operation, disrupted prescription processing nationwide and exposed the sensitive protected health information (PHI) of millions.

For security defenders, this event is a stark reminder of the devastating effectiveness of encryption-based attacks. It underscores the critical need for robust detection capabilities, rapid response protocols, and resilient data protection strategies. In this post, we analyze the technical mechanics of such attacks and provide actionable detection rules and remediation steps to harden your healthcare organization against similar threats.

Technical Analysis

The Change Healthcare incident was a classic double-extortion ransomware attack. The threat actors gained initial access—likely through compromised credentials or exploitation of unpatched vulnerabilities in external-facing systems—moved laterally through the network, and deployed ransomware that encrypted critical systems and data.

Key Technical Indicators:

  • Attack Vector: Phishing, credential theft, or exploitation of specific vulnerabilities (e.g., Citrix Bleed) targeting remote access services.
  • Lateral Movement: Use of remote management tools like RDP and PsExec to traverse the network and deploy payloads to domain controllers and file servers.
  • Impact Mechanism: AES-256 or ChaCha20 encryption to render files inaccessible, coupled with exfiltration of data for leverage.
  • Persistence: Attackers often scheduled tasks or modified registry keys to ensure the execution of the encryption payload across the environment.

While the specific "patch" for a ransomware attack is the restoration of data, the preventative "patches" involve securing remote access vectors, enforcing multi-factor authentication (MFA), and ensuring endpoint detection and response (EDR) solutions are configured to flag suspicious process chains.

Defensive Monitoring

To defend against encryption-based threats like the one that hit Change Healthcare, security teams must monitor for the precursors of ransomware—specifically mass file encryption attempts, shadow copy deletion, and suspicious process executions.

SIGMA Rules

The following SIGMA rules are designed to detect common behaviors associated with ransomware activity and defense evasion. These rules are compatible with standard SIEMs that support SIGMA, such as Splunk, Elastic, or QRadar.

YAML
---
title: Potential Ransomware Note Creation
id: 9e8a7f12-3b4c-4d5e-8f9a-1b2c3d4e5f6a
status: experimental
description: Detects the creation of potential ransomware note files on the endpoint, often indicators of encryption activity completion.
references:
  - https://attack.mitre.org/techniques/T1486/
author: Security Arsenal
date: 2024/05/20
tags:
  - attack.impact
  - attack.t1486
logsource:
  category: file_event
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - 'README'
      - 'RESTORE'
      - 'RECOVER'
      - 'DECRYPT'
      - 'YOUR_FILES'
      - 'HOW_TO'
    TargetFilename|endswith:
      - '.txt'
      - '.hta'
      - '.html'
  condition: selection
falsepositives:
  - Legitimate administrative documentation (rare)
level: high
---
title: Shadow Copy Deletion Via Vssadmin
id: a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects attempts to delete shadow copies using vssadmin.exe, a common tactic used by ransomware to prevent recovery.
references:
  - https://attack.mitre.org/techniques/T1490/
author: Security Arsenal
date: 2024/05/20
tags:
  - attack.impact
  - attack.t1490
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\vssadmin.exe'
    CommandLine|contains: 'delete shadows'
  condition: selection
falsepositives:
  - System administrators managing disk space (verify context)
level: critical
---
title: Suspicious PowerShell Execution IEX Download
id: b2c3d4e5-f6a7-4b5c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects PowerShell commands that download and execute code (IEX), often used to stage ransomware payloads.
references:
  - https://attack.mitre.org/techniques/T1059/001/
author: Security Arsenal
date: 2024/05/20
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - 'Invoke-Expression'
      - 'IEX('
      - 'DownloadString'
  condition: selection
falsepositives:
  - Legitimate software installation scripts
level: high

KQL Queries

For Microsoft Sentinel or Defender for Endpoint users, the following KQL queries can help identify suspicious activity indicative of ransomware preparation or execution.

KQL — Microsoft Sentinel / Defender
// Detect Shadow Copy Deletion attempts
DeviceProcessEvents  
| where Timestamp > ago(1d)  
| where ProcessCommandLine contains "delete"  
| where ProcessCommandLine contains "shadow"  
| where FileName =~ "vssadmin.exe" or FileName =~ "wmic.exe"  
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName


// Detect bulk file modifications (Potential Encryption)
// Note: This requires Microsoft Defender for Identity or advanced file auditing
DeviceFileEvents  
| where Timestamp > ago(1h)  
| where ActionType == "FileCreated" or ActionType == "FileModified"  
| summarize Count = count() by DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, bin(Timestamp, 5m)  
| where Count > 50 // Threshold for bulk operations
| project Timestamp, DeviceName, InitiatingProcessFileName, Count

Velociraptor VQL

Velociraptor is an essential tool for endpoint triage during active ransomware incidents. These hunts help identify ransom notes and suspicious processes that may have evaded automated detection.

VQL — Velociraptor
-- Hunt for common ransomware note file extensions
SELECT FullPath, Size, Mtime
FROM glob(globs='C:/Users/**/*.{txt,hta,html,inf}')
WHERE FileName =~ '(?i)(readme|restore|recover|decrypt|files)'

-- Hunt for processes with suspicious command line arguments involving encryption or deletion
SELECT Pid, Name, CommandLine, Exe, Username
FROM pslist()
WHERE CommandLine =~ 'vssadmin.*delete' 
   OR CommandLine =~ 'wbadmin.*delete'
   OR CommandLine =~ 'bcdedit.*recoveryenabled no'

PowerShell Script

This script can be used by incident responders to quickly check for the existence of common ransomware artifacts across remote systems.

PowerShell
<#
.SYNOPSIS
    Checks for common ransomware indicators on a local system.
.DESCRIPTION
    This script scans the C: drive for ransom notes and checks for recent shadow copy deletions in the event log.
#>

Write-Host "[+] Checking for common ransom note patterns..." -ForegroundColor Cyan

$paths = @("C:\Users\", "C:\ProgramData\", "C:\")
$patterns = @("*readme*.txt", "*decrypt*.*", "*restore*.*", "*how_to*.*")

$found = $false
foreach ($path in $paths) {
    Get-ChildItem -Path $path -Include $patterns -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
        Write-Host "[!] Potential ransom note found: $($_.FullName)" -ForegroundColor Red
        $found = $true
    }
}

if (-not $found) {
    Write-Host "[-] No obvious ransom notes found." -ForegroundColor Green
}

Write-Host "[+] Checking Event Logs for VSSAdmin deletion events..." -ForegroundColor Cyan

$events = Get-WinEvent -FilterHashtable @{LogName='System'; ID=7036} -MaxEvents 1000 -ErrorAction SilentlyContinue | 
    Where-Object { $_.Message -like '*vss*' -and $_.Message -like '*entering the stopped state*' }

if ($events) {
    Write-Host "[!] VSS Service stopped recently (check if related to shadow copy deletion)." -ForegroundColor Yellow
} else {
    Write-Host "[-] No recent VSS stop events found." -ForegroundColor Green
}

Remediation

Protecting against encryption-based attacks requires a layered defense strategy. Based on the Change Healthcare incident, we recommend the following remediation steps:

  1. Implement Strict Network Segmentation: Ensure that critical systems, such as Electronic Health Records (EHR), are isolated from general administrative networks and the internet. This limits the blast radius of ransomware.
  2. Disable Unnecessary Remote Access: Close RDP (TCP 3389) to the internet. If remote access is required, enforce the use of a VPN with MFA and a Zero Trust Network Access (ZTNA) solution.
  3. Patch Vulnerabilities Immediately: Prioritize patching of external-facing assets, particularly remote access gateways (Citrix, VPNs, Firewalls).
  4. Secure Backups: Implement offline or immutable backups. Ransomware often targets connected backups; ensure you have a clean, isolated copy of data that can be restored without paying a ransom.
  5. Enforce MFA Everywhere: Apply Multi-Factor Authentication to all user accounts, especially privileged accounts and service accounts.
  6. Disable Macros and Scripting: Restrict the execution of PowerShell and Office macros to only signed scripts or specific users via Application Control (AppLocker).

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcarehipaaransomwaresigmadefenseincident-response

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action