The North Los Angeles County Regional Center (NLACRC) recently began notifying individuals of an "encryption-based cyber incident" discovered in November 2024. While the specific malware strain has not been publicly disclosed in initial reports, the classification confirms a ransomware-style attack targeting a critical healthcare entity. For defenders, this serves as a stark reminder: the threat of data encryption and exfiltration in the healthcare sector remains persistent and devastating.
When PHI (Protected Health Information) is involved, the impact extends beyond operational downtime to regulatory penalties and severe patient care risks. This post analyzes the technical mechanics of encryption-based attacks and provides actionable detection logic to identify the precursors of encryption—specifically the destruction of volume shadow copies and mass file modification—before irreversible damage occurs.
Technical Analysis
Encryption-based incidents, such as the one affecting NLACRC, generally follow a distinct attack chain optimized to bypass traditional backups and force extortion payments. While the CVE used for initial access in this specific instance is not detailed, healthcare entities are frequently compromised via:
- Phishing: Initial access via malicious attachments harvesting credentials.
- Exploitation of Internet-Facing Services: Vulnerabilities in VPNs or remote access tools.
- Lateral Movement: Use of valid credentials (Pass-the-Hash/Pass-the-Ticket) to move from the initial foothold to file servers.
The Encryption Mechanism: The core of the attack involves a binary or script (often living-off-the-land like PowerShell or a custom ransomware executable) iterating through file shares. To ensure victims cannot simply roll back data via Volume Shadow Copy Service (VSS), adversaries almost universally execute commands to delete shadow copies prior to or immediately following file encryption.
Affected Systems:
- File Servers: Windows Server environments hosting shared drives.
- Endpoints: Workstations with locally stored documents.
- Backup Infrastructure: If connected and not air-gapped, backups are often targeted for encryption or deletion.
Exploitation Status:
The techniques described (Shadow Copy deletion via vssadmin or wmic, mass file modification) are active, commodity tactics used by nearly all modern ransomware groups (e.g., LockBit, BlackCat/ALPHV, Akira) in 2026 campaigns.
Detection & Response
Detecting encryption events early requires monitoring for the "preparation" phase—where the adversary disables recovery mechanisms—and the "execution" phase. The following rules target the deletion of shadow copies and suspicious mass file activity.
Sigma Rules
---
title: Potential Ransomware Activity - VSS Shadow Copy Deletion
id: 8c89709c-1c3f-4b8d-8b4a-1b9c9d0e1f2a
status: experimental
description: Detects attempts to delete Volume Shadow Copies using vssadmin or wmic, a common precursor to encryption.
references:
- https://attack.mitre.org/techniques/T1490/
author: Security Arsenal
date: 2026/04/10
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: windows
detection:
selection_vssadmin:
Image|endswith: '\vssadmin.exe'
CommandLine|contains: 'delete shadows'
selection_wmic:
Image|endswith: '\wmic.exe'
CommandLine|contains: 'shadowcopy delete'
condition: 1 of selection_*
falsepositives:
- System administrators managing disk space (rare)
level: critical
---
title: Suspicious Mass File Encryption via PowerShell
id: 9d9e1f0a-2b4c-4d6e-9f0a-2b3c4d5e6f7g
status: experimental
description: Detects PowerShell scripts that may be encrypting files by iterating through directories, often using System.IO.File methods.
references:
- https://attack.mitre.org/techniques/T1486/
author: Security Arsenal
date: 2026/04/10
tags:
- attack.impact
- attack.t1486
logsource:
category: process_creation
product: windows
detection:
selection_pwsh:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
selection_encryption_keywords:
CommandLine|contains:
- '.Encrypt('
- 'System.IO.Compression'
- 'System.Security.Cryptography'
- 'FromBase64String'
condition: all of selection_*
falsepositives:
- Legitimate backup scripts or file management tools
level: high
KQL (Microsoft Sentinel)
This query hunts for the rapid creation of files with new extensions (a common ransomware trait) and correlated VSS deletion events.
// Hunt for VSS Deletion followed by rapid file creation
let VSSDeletion =
DeviceProcessEvents
| where Timestamp > ago(1h)
| where FileName in~ ("vssadmin.exe", "wmic.exe")
| where ProcessCommandLine has_any ("delete shadows", "shadowcopy delete")
| project DeviceName, AccountName, ProcessCommandLine, Timestamp;
let RapidFileCreation =
DeviceFileEvents
| where Timestamp > ago(1h)
| where ActionType == "FileCreated"
| summarize Count = count(), FileExtensions = makeset(Extension) by DeviceName, InitiatingProcessAccountName, bin(Timestamp, 1m)
| where Count > 50; // Threshold tuning required
VSSDeletion
| join kind=inner (RapidFileCreation) on DeviceName
| project DeviceName, AccountName, Timestamp, ProcessCommandLine, Count, FileExtensions
Velociraptor VQL
Hunt for processes that have recently deleted shadow copies or are exhibiting behavior typical of ransomware (encrypting files).
-- Hunt for processes deleting VSS shadows or common ransomware extensions
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ 'vssadmin.exe'
AND CommandLine =~ 'delete'
OR Name =~ 'wmic.exe'
AND CommandLine =~ 'shadowcopy'
OR Name =~ 'cipher.exe'
AND CommandLine =~ '/w';
Remediation Script (PowerShell)
Use this script to audit VSS health and identify potential ransomware processes on Windows endpoints.
# Audit VSS Health and Check for Suspicious Encryption Processes
Write-Host "Checking VSS Writer Status..." -ForegroundColor Cyan
try {
$vssWriters = vssadmin list writers
if ($vssWriters -like "*Error*") {
Write-Host "CRITICAL: VSS Writers detected errors. Backup may be failing." -ForegroundColor Red
} else {
Write-Host "VSS Writers appear healthy." -ForegroundColor Green
}
} catch {
Write-Host "Error running vssadmin." -ForegroundColor Red
}
Write-Host "\nChecking for known ransomware process names..." -ForegroundColor Cyan
$suspiciousProcesses = @("vssadmin", "wmic", "cipher", "bitsadmin", "powershell", "cmd")
$runningProcs = Get-Process | Where-Object { $suspiciousProcesses -contains $_.ProcessName }
foreach ($proc in $runningProcs) {
# Basic heuristic: Check if command line arguments look malicious (elevated privileges required)
$cmdLine = (Get-CimInstance Win32_Process -Filter "ProcessId = $($proc.Id)").CommandLine
if ($cmdLine -match "delete" -or $cmdLine -match "/w" -or $cmdLine -match "encrypted") {
Write-Host "SUSPICIOUS: Process $($proc.ProcessName) (PID: $($proc.Id)) with arguments: $cmdLine" -ForegroundColor Yellow
}
}
Remediation
If active encryption is detected or suspected based on the above rules:
- Isolate: Immediately disconnect affected hosts from the network (pull Ethernet/disable Wi-Fi) to prevent lateral movement to file servers.
- Preserve Artifacts: Do not reboot affected servers if possible; acquire a memory image to capture encryption keys or malware context.
- Credential Reset: Assume domain credentials are compromised. Reset credentials for all accounts used on affected systems, prioritizing privileged admins.
- Restore from Immutable Backups: Restore data from offline or immutable (WORM) storage. Ensure scanned backups are free of malware before restoration.
- Vulnerability Patching: While the specific vector for NLACRC is unknown, ensure all VPN gateways, remote access tools, and operating systems are patched against 2025-2026 CVEs.
Related Resources
Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.