Back to Intelligence

Ransomware Attack on Good Samaritan Health Center: Defending Healthcare PHI from Encryption-Based Incidents

SA
Security Arsenal Team
May 1, 2026
6 min read

A recent "encryption-based cyber incident" at Good Samaritan Health Center has compromised the Protected Health Information (PHI) of approximately 10,000 individuals. This breach, reported alongside other incidents at Green Imaging and Wonderland Child & Family Services, signals a renewed targeting of the Healthcare and Public Health (HPH) sector by ransomware operators. For defenders, this is not just a headline; it is a tactical indicator that threat actors are actively probing and exploiting vulnerabilities in healthcare IT environments to encrypt data and disrupt critical care operations. The urgency is palpable—encryption attacks often imply imminent operational downtime and significant regulatory scrutiny under HIPAA.

Technical Analysis

While the specific ransomware strain (e.g., LockBit, BlackCat) was not explicitly disclosed in the initial reports, the attack vector is described as an "encryption-based cyber incident," which strongly suggests a classic ransomware playbook.

  • Attack Vector: In healthcare environments, these incidents typically originate from phishing campaigns delivering malicious payloads, or the exploitation of internet-facing remote access services (RDP, VPN) that lack multi-factor authentication (MFA).
  • Mechanism of Action: The threat actor gains initial access, establishes persistence (often via scheduled tasks or registry run keys), and performs lateral movement using tools like PsExec or WMI. Once Domain Admin credentials are obtained, the deployment of the encryption payload begins.
  • Impact: The encryption of files prevents access to PHI and Electronic Health Records (EHR), forcing the organization into recovery mode. The breach of 10,000 records triggers HIPAA Breach Notification Rule requirements, necessitating forensic analysis to determine if data was exfiltrated (double-extortion) in addition to being encrypted.

Detection & Response

Defending against encryption-based incidents requires detecting the precursors to encryption—specifically, the adversary's attempts to disable backups and security tools before the payload executes. The following rules focus on these high-fidelity TTPs.

SIGMA Rules

YAML
---
title: Potential Ransomware Activity - Volume Shadow Copy Deletion via VssAdmin
id: 550d9a23-0f72-4e3a-a8c5-1d2f3b4c5d6e
status: experimental
description: Detects attempts to delete Volume Shadow Copies using vssadmin.exe, a common precursor to ransomware encryption to prevent file recovery.
references:
  - https://attack.mitre.org/techniques/T1490/
author: Security Arsenal
date: 2024/05/22
tags:
  - attack.impact
  - attack.t1490
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\vssadmin.exe'
    CommandLine|contains: 'delete shadows'
  condition: selection
falsepositives:
  - Legitimate administration by IT staff (rare)
level: high
---
title: Potential Ransomware Activity - Mass File Extension Modification
id: 7a3f1c82-9e4b-4d67-bc12-3e5a8f901234
status: experimental
description: Detects rapid renaming of files with a new extension, a heuristic for mass encryption events.
references:
  - https://attack.mitre.org/techniques/T1486/
author: Security Arsenal
date: 2024/05/22
tags:
  - attack.impact
  - attack.t1486
logsource:
  category: file_change
  product: windows
detection:
  selection:
    TargetFilename|contains: "."
  filter:
    TargetFilename|endswith:
      - ".tmp"
      - ".log"
  timeframe: 1m
  condition: selection | count() > 50 and not filter
falsepositives:
  - Bulk file processing by legitimate backup software
level: critical

KQL (Microsoft Sentinel / Defender)

This query hunts for the deletion of shadow copies and the execution of suspicious PowerShell scripts often used to deploy ransomware payloads.

KQL — Microsoft Sentinel / Defender
// Hunt for Ransomware Precursors: Shadow Copy Deletion and Suspicious PowerShell
DeviceProcessEvents
| where Timestamp > ago(7d)
| where (FileName =~ "vssadmin.exe" and ProcessCommandLine has "delete shadows") 
   or (FileName =~ "powershell.exe" and ProcessCommandLine has_any ("Invoke-AESEncryption", "IEX", "DownloadString") and ProcessCommandLine has "-enc")
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine, FolderPath
| order by Timestamp desc

Velociraptor VQL

This artifact hunts for common ransomware note filenames (e.g., _readme.txt, decrypt.html) across user profiles and public drives, which indicates a successful payload execution.

VQL — Velociraptor
-- Hunt for Ransomware Notes and Suspicious Encrypted Files
SELECT FullPath, Size, Mtime, Mode
FROM glob(globs="/*")
WHERE FullPath =~ '(?i)_readme\.txt$'
   OR FullPath =~ '(?i)decrypt.*\.(html|txt|png)$'
   OR FullPath =~ '(?i)RECOVER.*\.(txt|html)$'
   OR FullPath =~ '\.locked$' OR FullPath =~ '\.encrypted$'
LIMIT 100

Remediation Script (PowerShell)

This script assists IR teams by identifying potential ransomware artifacts on a host and checking the status of the Volume Shadow Copy Service (VSS).

PowerShell
# Ransomware Incident Response - Artifact Hunter
Write-Host "[*] Starting Ransomware Artifact Hunt..." -ForegroundColor Cyan

# 1. Check for VSS Writer Status
Write-Host "[+] Checking Volume Shadow Copy Service Status..." -ForegroundColor Yellow
$vssService = Get-Service -Name VSS -ErrorAction SilentlyContinue
if ($vssService) {
    Write-Host "    VSS Service Status: $($vssService.Status)"
} else {
    Write-Host "    [!] VSS Service not found." -ForegroundColor Red
}

# 2. Hunt for Common Ransom Note Extensions in User Profiles
Write-Host "[+] Searching for common ransom note file extensions..." -ForegroundColor Yellow
$paths = @("C:\Users\", "C:\ProgramData\")
$extensions = @("*.txt", "*.html", "*.png")
$keywords = @("readme", "decrypt", "recover", "restore", "files", "how_to", "instruction")

$foundNotes = @()
foreach ($path in $paths) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -Recurse -Include $extensions -ErrorAction SilentlyContinue | ForEach-Object {
            if ($_.Name -match "(?i)($($keywords -join '|'))") {
                $foundNotes += $_.FullName
            }
        }
    }
}

if ($foundNotes.Count -gt 0) {
    Write-Host "    [!] Potential Ransom Notes Found:" -ForegroundColor Red
    $foundNotes | ForEach-Object { Write-Host "        - $_" }
} else {
    Write-Host "    No obvious ransom notes found." -ForegroundColor Green
}

# 3. Check for encrypted file patterns (simple heuristics)
Write-Host "[+] Checking for mass encrypted files (e.g., .locked, .encrypted)..." -ForegroundColor Yellow
$encExtensions = @("*.locked", "*.encrypted", "*.micro", "*.crypt", "*.cryptowall")
$foundEncrypted = @()
Get-ChildItem -Path "C:\Users\" -Recurse -Include $encExtensions -ErrorAction SilentlyContinue | ForEach-Object {
    $foundEncrypted += $_.FullName
}

if ($foundEncrypted.Count -gt 0) {
    Write-Host "    [!] Found potential encrypted files. Limiting output to first 10:" -ForegroundColor Red
    $foundEncrypted | Select-Object -First 10 | ForEach-Object { Write-Host "        - $_" }
} else {
    Write-Host "    No files with common encrypted extensions found." -ForegroundColor Green
}

Remediation

Immediate containment and recovery are critical for healthcare entities experiencing encryption-based incidents.

  1. Isolate Affected Systems: Immediately disconnect impacted hosts from the network (Ethernet/WiFi) to prevent lateral movement to other clinical workstations or EHR servers. Do not power off systems entirely if memory forensics are required.
  2. Preserve Evidence: Acquire memory images and disk forensics of affected machines before restoring images. This is vital for identifying the intrusion vector and ensuring the attacker is fully eradicated before restoration.
  3. Verify Backups: Ensure backups are offline and immutable. Verify the integrity of backup data before initiating restoration. Ransomware actors often target backup APIs or shadow copies.
  4. Patch and Harden: Identify the initial vector (likely phishing or unpatched RDP/VPN). Apply the latest security patches to VPN concentrators (e.g., Fortinet, Pulse Secure) and enforce MFA on all remote access points immediately.
  5. Incident Notification: Given the breach of 10,000 individuals, coordinate with legal counsel to comply with HIPAA Breach Notification Rules (notification to HHS, media, and individuals within 60 days of discovery).

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfirhealthcarehipaaphi

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action