A new variant of ransomware, called ELENOR-corp, has been making headlines recently due to its targeted attacks on the healthcare sector. This strain, identified as version 7.5 of the Mimic ransomware, comes equipped with a variety of advanced capabilities that are specifically designed to cause maximum damage and hinder recovery efforts.
One of the unique features of this latest iteration of the Mimic ransomware is its ability to maintain command-line access regardless of system restrictions. This allows attackers to execute remote commands without needing user credentials, thanks to the sticky keys bypass technique. Additionally, ELENOR-corp forcibly dismounts virtual drives to prevent hidden data storage, further complicating recovery efforts.
When deployed, the ransomware creates persistent registry entries and displays a ransom demand on the Windows login screen. Attackers can fine-tune encryption parameters using a GUI interface if .NET 4.0 is present. To avoid detection, the executable is obfuscated, making analysis difficult for security professionals.
However, what sets ELENOR-corp apart is its aggressive evidence tampering tactics. The ransomware deletes logs, file indexing histories, and registry entries, while also using fsutil commands to overwrite and delete its own binaries, making forensic recovery challenging. The malware even modifies power settings to disable sleep and hibernation modes, thereby increasing encryption speed.
To quickly spread across networks, ELENOR-corp allows for parallel RDP sessions and overrides restrictions on concurrent logins. It scans network shares, encrypting target shares while excluding some administrative shares. Additionally, the ransomware deletes Windows backup catalogs and Recycle Bin contents, making it difficult for victims to restore their data without extensive intervention.
Key techniques used by ELENOR-corp, as outlined in a recent advisory by Morphisec, include credential harvesting, RDP-based lateral movement, persistent file indexing, data exfiltration via web browsers, encryption of remote network shares, and destruction of system backups. To combat this threat, security researchers recommend enhancing RDP configurations with multifactor authentication, monitoring for forensic tampering, and maintaining offline backups.
In conclusion, ELENOR-corp represents a dangerous evolution in ransomware tactics, with its advanced capabilities posing a significant threat to organizations, particularly in the healthcare sector. As attackers continue to refine their techniques, it is crucial for businesses to stay vigilant, update their security measures, and have robust backup strategies in place to protect against such threats.