In May 2025, Kettering Adventist Healthcare (Kettering Health) confirmed a severe encryption-based cyber incident that has compromised the protected health information (PHI) of approximately 1.7 million individuals. This event is not merely a data breach; it is a classic ransomware scenario where threat actors leveraged encryption to lock critical systems, likely exfiltrating data for double-extortion leverage.
For healthcare defenders, this incident is a stark reminder of the stakes involved. When encryption hits a health system, patient care is immediately jeopardized. The urgency for SOC teams and IR responders is to detect the precursors of mass encryption—specifically the sabotage of backup mechanisms and lateral movement—before the payload executes.
Technical Analysis
Attack Profile
While specific CVEs or malware strains have not been publicly disclosed in the initial breach notification, the classification as an "encryption-based cyber incident" confirms a ransomware playbook. The attack likely followed a standard MITRE ATT&CK framework tailored for enterprise environments:
- Initial Access: Likely via phishing (credential harvesting) or exploitation of external-facing services (RDP/VPN).
- Execution & Persistence: Use of legitimate administrative tools (PowerShell, WMIC) for living-off-the-land (LotL) attacks to evade detection.
- Defense Evasion: Critical to encryption attacks is the disabling of recovery options. Attackers almost uniformly target Volume Shadow Copies (VSS) and backup services to prevent restoration.
- Impact: Deployment of an encryption payload targeting database and file servers storing PHI.
Affected Systems
The scope impacting 1.7 million individuals suggests widespread access to Electronic Health Records (EHR) and associated patient management databases. In engagements of this magnitude, we typically see:
- Windows Server Environment: Primary target for encryption.
- Active Directory: Compromised for lateral movement.
- Backup Repositories: Targeted for deletion or encryption to force ransom payment.
Detection & Response
SIGMA Rules
The following SIGMA rules target the "pre-encryption" phase where threat actors clear the tracks to ensure recovery is impossible. These are high-fidelity indicators of an imminent ransomware event.
---
title: Potential Ransomware Shadow Copy Deletion
id: 9a4a7d1b-2b5c-4d8e-8f1a-3b6c5d7e9f0a
status: experimental
description: Detects attempts to delete Volume Shadow Copies using vssadmin or wmic, a common precursor to ransomware execution to prevent recovery.
references:
- https://attack.mitre.org/techniques/T1490/
author: Security Arsenal
date: 2025/05/20
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: windows
detection:
selection_vssadmin:
Image|endswith: '\vssadmin.exe'
CommandLine|contains: 'delete shadows'
selection_wmic:
Image|endswith: '\wmic.exe'
CommandLine|contains: 'shadowcopy delete'
condition: 1 of selection*
falsepositives:
- Administrators managing disk space (rare in production)
level: high
---
title: Ransomware Backup Service Sabotage
id: b1c2d3e4-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects commands used to stop or disable backup services (e.g., SQL Agent, VSS Writer) or delete backups using wbadmin.
references:
- https://attack.mitre.org/techniques/T1489/
author: Security Arsenal
date: 2025/05/20
tags:
- attack.impact
- attack.t1489
logsource:
category: process_creation
product: windows
detection:
selection_wbadmin:
Image|endswith: '\wbadmin.exe'
CommandLine|contains: 'delete'
selection_net_stop:
Image|endswith: '\net.exe'
CommandLine|contains:
- 'stop "SQL ServerAGENT"'
- 'stop VSS'
condition: 1 of selection*
falsepositives:
- Legitimate backup maintenance windows
level: high
---
title: Suspicious Mass File Encryption via PowerShell
id: c3d4e5f6-7a8b-9c0d-1e2f-3a4b5c6d7e8f
status: experimental
description: Detects PowerShell scripts attempting to encrypt files or recurse through directories rapidly, indicative of ransomware behavior.
references:
- https://attack.mitre.org/techniques/T1486/
author: Security Arsenal
date: 2025/05/20
tags:
- attack.impact
- attack.t1486
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- '.Encrypt('
- 'Encrypt-File'
- 'System.IO.Cryptography'
condition: selection
falsepositives:
- Legitimate encryption scripts by IT staff
level: medium
KQL (Microsoft Sentinel / Defender)
This query hunts for the combination of disabling system recovery and subsequent massive file modifications, the signature of a ransomware event like the one at Kettering Health.
// Hunt for Ransomware Precursors: Shadow Copy Deletion and Service Stops
let TimeFrame = 1h;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where FileName in~ ("vssadmin.exe", "wbadmin.exe", "wmic.exe")
| where ProcessCommandLine has_any ("delete shadows", "shadowcopy delete", "delete backup", "catalog")
| extend HostName = DeviceName
| project Timestamp, HostName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| join kind=inner (
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where FileName in~ ("net.exe", "sc.exe")
| where ProcessCommandLine has_any ("stop", "disable")
| where ProcessCommandLine has_any ("SQL", "VSS", "Backup", "MSSQLSERVER")
) on HostName
| project Timestamp, HostName, AccountName_Sabotage = AccountName1, CommandLine_Sabotage = ProcessCommandLine1, AccountName_Service = AccountName, CommandLine_Service = ProcessCommandLine
Velociraptor VQL
This artifact hunts for the presence of suspicious processes that often indicate the encryption phase or the preparation for it, specifically looking for the deletion of shadow copies.
-- Hunt for Ransomware Precursors on Endpoint
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ 'vssadmin.exe'
AND CommandLine =~ 'delete.*shadows'
UNION ALL
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ 'wbadmin.exe'
AND CommandLine =~ 'delete'
Remediation Script (PowerShell)
This script performs an immediate triage check on the Volume Shadow Copy Service (VSS) status and ensures critical backup protections are active. Run this on critical servers immediately if you suspect similar activity.
# Kettering Health Incident Response: VSS and Backup Triage
Write-Host "[+] Checking VSS Service Status..."
$vssService = Get-Service -Name VSS -ErrorAction SilentlyContinue
if ($vssService) {
if ($vssService.Status -ne 'Running') {
Write-Host "[!] CRITICAL: VSS Service is not running. Current State: $($vssService.Status)" -ForegroundColor Red
Write-Host "[*] Attempting to start VSS Service..."
Start-Service -Name VSS -ErrorAction Stop
} else {
Write-Host "[+] VSS Service is Running." -ForegroundColor Green
}
} else {
Write-Host "[!] ERROR: VSS Service not found on this system." -ForegroundColor Red
}
# Check for recent Shadow Copy Deletion events in System Log (Event ID 7036 or VSS specific errors)
Write-Host "[+] Checking System Event Logs for VSS stop events (Last 24 Hours)..."
$recentStops = Get-WinEvent -FilterHashtable @{LogName='System'; ID=7036; Level=4; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue |
Where-Object { $_.Message -like '*VSS*stopped*' }
if ($recentStops) {
Write-Host "[!] WARNING: Detected recent stops of the VSS service." -ForegroundColor Red
$recentStops | Select-Object TimeCreated, Message | Format-Table
} else {
Write-Host "[+] No suspicious VSS stops detected in the last 24 hours." -ForegroundColor Green
}
# Ensure Shadow Copy Storage is accessible
Write-Host "[+] Checking for existing Shadow Copies..."
try {
$shadowCopies = vssadmin list shadows
if ($shadowCopies -match "No shadow copies found") {
Write-Host "[!] WARNING: No Shadow Copies exist. System is vulnerable to data loss." -ForegroundColor Yellow
} else {
Write-Host "[+] Shadow Copies exist." -ForegroundColor Green
# Output count (simple parsing)
($shadowCopies | Select-String "Shadow Copy Volume").Count
}
} catch {
Write-Host "[!] Error querying vssadmin. Verify execution permissions." -ForegroundColor Red
}
Remediation
Based on the Kettering Health incident, immediate remediation and hardening steps are required to prevent encryption propagation:
- Isolate Affected Segments: Immediately disconnect infected hosts from the network to prevent the ransomware from spreading to file servers and PACS (Picture Archiving and Communication System) archives.
- Credential Resetting: Assume that Active Directory credentials have been compromised. Force a password reset for all privileged accounts (Domain Admins) and service accounts used for backups and database management.
- VSS Hardening: Implement Group Policy Objects (GPO) to restrict
vssadmin.exe,wmic.exe, andwbadmin.exeexecution to only specific administrative workstations. Standard users and healthcare workstations should never require these tools. - Offline Backups Verification: Ensure that your immutable, offline backups are current. In encryption-based attacks, online connected backups are the first target. Verify that your air-gapped backup snapshot from the last 24 hours is restorable.
- Network Segmentation: Enforce strict segmentation between clinical workstations and administrative/backup servers. Ransomware often traverses via SMB (TCP 445); block lateral movement where clinically unnecessary.
Related Resources
Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.