Ransomware Attacks on Advanced Family Surgery Center & Orem Eye Clinic: Detection and Hardening

The healthcare sector remains a prime target for financially motivated cybercrime. Recently, encryption-based cyber incident groups (ransomware operators) claimed responsibility for attacks on Advanced Family Surgery Center in Tennessee and Orem Eye Clinic in Utah. This represents a classic "double-extortion" scenario where Protected Health Information (PHI) is not only encrypted for ransom but also exfiltrated for leverage.

For defenders, the urgency is immediate. The operational impact on ophthalmology and surgical centers—where access to high-resolution imaging and patient history is time-critical—is devastating. This post breaks down the likely attack mechanics and provides actionable detection rules and hardening steps to prevent your organization from appearing next on a leak site.

Technical Analysis

Affected Entities:

Advanced Family Surgery Center (Tennessee)
Orem Eye Clinic (Utah)

Threat Actor Profile: While the specific affiliate group varies, the TTPs (Tactics, Techniques, and Procedures) align with modern Ransomware-as-a-Service (RaaS) operations. These groups typically gain initial access via:

Exploited External Interfaces: Unpatched VPN appliances or RDP services exposed to the internet.
Phishing: Credential harvesting leading to initial foothold.

Attack Chain Overview:

Initial Access: Compromise of user credentials or vulnerable external facing service.
Privilege Escalation: Usage of tools like mimikatz or LaZagne to dump credentials, moving from standard user to Domain Admin.
Defense Evasion: Disabling AV/EDR via PowerShell scripts or malicious kernel drivers.
Lateral Movement: SMB (TCP 445) and RDP (TCP 3389) used to propagate across the network to reach backup servers and PACS (Picture Archiving and Communication System) storage.
Impact: Execution of the encryption payload. A critical precursor observed in 90% of these cases is the deletion of Volume Shadow Copies using vssadmin.exe or wmic.exe to prevent bare-metal recovery.

Exploitation Status: Active exploitation confirmed via victim leak site postings. No specific CVE is identified in the reporting, implying the intrusion relies on configuration weaknesses (credential hygiene, open RDP) rather than a zero-day vulnerability.

Detection & Response

Sigma Rules

The following Sigma rules target the critical "pre-encryption" behaviors. Ransomware groups must disable backups and clear logs before deploying the payload. Detecting these actions provides the last window of opportunity to eject the attacker.

YAML

---
title: Potential Ransomware Shadow Copy Deletion
id: 8ac3c31a-8d6f-4a9d-bc5e-3c1c7e2d8f9a
status: experimental
description: Detects attempts to delete Volume Shadow Copies, a common precursor to ransomware execution to prevent recovery.
references:
  - https://attack.mitre.org/techniques/T1490/
author: Security Arsenal
date: 2025/04/10
tags:
  - attack.impact
  - attack.t1490
logsource:
  category: process_creation
  product: windows
detection:
  selection_vssadmin:
    Image|endswith: '\vssadmin.exe'
    CommandLine|contains: 'delete shadows'
  selection_wmic:
    Image|endswith: '\wmic.exe'
    CommandLine|contains: 'shadowcopy delete'
  condition: 1 of selection*
falsepositives:
  - Legitimate system administration tasks (rare)
level: high
---
title: Mass Encryption via PowerShell
id: b2f4e9a1-7c3d-4e8a-9f1b-2c3d4e5f6a7b
status: experimental
description: Detects PowerShell scripts attempting to encrypt files rapidly, indicative of ransomware behavior.
references:
  - https://attack.mitre.org/techniques/T1486/
author: Security Arsenal
date: 2025/04/10
tags:
  - attack.impact
  - attack.t1486
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - '.Encrypt'
      - 'System.IO.Cryptography'
  condition: selection
falsepositives:
  - Legitimate encryption scripts by IT staff
level: medium
---
title: Suspicious RDP Logins from Non-Workstation
id: 9c5d1e8f-3a4b-4c2d-9e6f-1a2b3c4d5e6f
status: experimental
description: Detects RDP connections originating from non-standard endpoints or implying lateral movement.
references:
  - https://attack.mitre.org/techniques/T1021/
author: Security Arsenal
date: 2025/04/10
tags:
  - attack.lateral_movement
  - attack.t1021.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\mstsc.exe'
  filter_legit:
    ParentImage|contains:
      - '\explorer.exe'
  condition: selection and not filter_legit
falsepositives:
  - Admin tools launching RDP
level: low

KQL (Microsoft Sentinel)

This query hunts for the mass deletion of files, specifically looking for patterns common in ransomware attacks targeting medical imaging archives (DICOM).

KQL — Microsoft Sentinel / Defender

DeviceProcessEvents
| where Timestamp > ago(24h)
| where (FileName has "vssadmin.exe" or FileName has "wmic.exe")
| extend CommandLine = coalesce(ProcessCommandLine, "")
| where CommandLine contains "delete" and (CommandLine contains "shadow" or CommandLine contains "backup")
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, CommandLine
| order by Timestamp desc

Velociraptor VQL

Use this artifact on potentially compromised endpoints to hunt for processes that have touched a large number of files, a common behavior of encryption processes.

VQL — Velociraptor

-- Hunt for processes with high handle counts indicative of mass encryption
SELECT Pid, Name, CommandLine, Handles, CreateTime
FROM pslist()
WHERE Handles > 500
  AND Name NOT IN ('svchost.exe', 'services.exe', 'lsass.exe', 'chrome.exe', 'firefox.exe')
ORDER BY Handles DESC

Remediation Script (PowerShell)

If indicators of compromise (IOCs) are found, use this script to immediately isolate the host and prevent lateral movement while the IR team investigates.

PowerShell

# Isolate Host: Disable Network Adapters
Get-NetAdapter | Where-Object Status -eq 'Up' | Disable-NetAdapter -Confirm:$false

# Stop and Disable RDP Services (if not required for critical ops)
Set-Service -Name TermService -StartupType Disabled
Stop-Service -Name TermService -Force

# Enable Firewall Block All Inbound
netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound

# Audit Recent Shadow Copy Deletions
Write-Host "Checking for recent VSS Admin events..."
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} -MaxEvents 1000 | 
    Where-Object {$_.Message -like '*vssadmin*' -and $_.Message -like '*delete*'} | 
    Select-Object TimeCreated, Message

Remediation

Given these active attacks on healthcare providers, immediate remediation steps are required:

Disable Internet-Facing RDP: Conduct an immediate audit of external attack surfaces. If RDP (TCP 3389) is open to the internet, close it immediately. Enforce VPN access with MFA for all remote administrative access.
Patch Management: While no specific CVE was cited, ensure all VPN appliances (e.g., Pulse Secure, Fortinet, Cisco) and Windows Servers are patched against known CVEs (e.g., CVE-2024-XXXX) frequently targeted by ransomware initial access brokers.
Implement MFA Everywhere: Require phishing-resistant MFA for all users, specifically those accessing email, EHR (Electronic Health Record) systems, and network infrastructure.
Offline Backups: Verify that backups of the PACS and EHR databases are immutable and offline. Ransomware groups actively target connected backup servers.
Network Segmentation: Ensure medical devices (IoMT) and patient data servers are on isolated VLANs, restricting lateral movement from the general user network.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub