SafeBreach Hacker’s Playbook Updated for IL-CERT Alert (1389) DeepBlueMagic Ransomware Attacks
US Cert Alerts
On October 13th, the Hillel Yaffe Medical Center in Hadera, Israel was targeted by a ransomware attack that affected its computer systems (medical devices were not affected). The medical center is a major hospital serving a population of nearly 500K residents. Based on the current information available, this attack has been attributed to a new threat actor DeepBlueMagic. The group is using a brand-new ransomware called DeepBlueMagic that was first discovered in the wild in August 2021. It is not known whether the ransomware attack was a terror attack or if it was financially motivated.
It is suspected that the group leveraged a vulnerability in the Pulse Connect Secure VPN to get access to the IT systems of the Hillel Yaffe Medical Center. Once inside the network, the ransomware leveraged a legitimate disk encryption tool (BestCrypt Volume Encryption by Jetico) to encrypt the system drives as well as the rescue file (used by the Jetico tool to recover a partition in case of damage). They were then able to leverage the recently discovered Hive Nightmare Vulnerability to steal information in the Security Account Manager (SAM) from the Windows Volume Shadow File. The threat actors then went on to delete the Volume Shadow File to prevent any data from being restored. Additionally, it also tried to leverage Active Directory to activate BitLocker encryption on all the endpoints in the medical center network.
NOTE - The SafeBreach Hacker’s Playbook has been updated to include the newly discovered tactics and techniques from this alert. We encourage you to test your preparedness against the DeepBlueMagic Ransomware by running the attacks listed below.
The new and existing attack methods for IL-CERT Alert 1389 (DeepBlueMagic Ransom) are already in the SafeBreach Hacker’s playbook and ready to be run across your simulators. The Known Attack Series report is updated so you can run the specific attacks from this alert. From the Known Attack Series report, select the IL-CERT Alert 1389 (DeepBlueMagic Ransom) report and select Run Simulations which will run all attack methods.
Additionally, you can also select all the attacks related to IL-CERT 1389 (DeepBlueMagic Ransomware), by going to the SafeBreach Playbook and filtering by Threat Name – IL-CERT Alert 1389 (DeepBlueMagic Ransom).