{ "id": "a508a379-eac7-4c34-aba8-658c5daf1f1d", "created_at": "2026-04-06T00:17:47.012626Z", "updated_at": "2026-04-10T03:36:10.973555Z", "deleted_at": null, "sha1_hash": "1483df4bd201075aef83f851d93741b092ce8c7b", "title": "A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 75574, "plain_text": "A Bazar start: How one hospital thwarted a Ryuk ransomware\r\noutbreak\r\nBy Brian Donohue\r\nPublished: 2020-10-29 · Archived: 2026-04-05 20:33:08 UTC\r\nIn mid-October, a variety of detection analytics alerted the Red Canary CIRT to execution, reconnaissance, and\r\nlateral movement activity on the network of a medical center. Within minutes, we observed Cobalt Strike and\r\nother malicious tools that all pointed toward a troubling conclusion: the hospital was probably a few hours away\r\nfrom a full-blown Ryuk ransomware outbreak. Thanks in no small part to our incident response partners at Kroll,\r\nwhose Responder team rapidly engaged and began active containment steps as we detected threats, that didn’t\r\nhappen.\r\nThis week, news has spread that many hospitals in the United States are being attacked by Ryuk ransomware—\r\nand are very likely experiencing some version of what we’ve just described. Despite being in the throes of a\r\npandemic that’s already over-burdening global public health infrastructure, ransomware crews have been\r\nescalating their operations against hospitals for months now.\r\nThese attacks are abhorrent. The people responsible for them are despicable. And we, like DHS CISA, Mandiant,\r\nand others in the information security community, want to help the hospitals that care for all of us however we\r\ncan. So we’re sharing the details of how we thwarted these operators earlier this month—in the hopes you can\r\ntake this information and better protect your own organizations.\r\nBackground\r\nWe’ve been following all the recent reporting and tweets about hospitals being attacked by Ryuk ransomware. But\r\nRyuk isn’t new to us… we’ve been tracking it for years. More important than just looking at Ryuk ransomware\r\nitself, though, is looking at the operators behind it and their tactics, techniques, and procedures (TTPs)—\r\nespecially those used before they encrypt any data. The operators of Ryuk ransomware are known by different\r\nnames in the community, including “WIZARD SPIDER,” “UNC1878,” and “Team9.” The malware they use has\r\nincluded TrickBot, Anchor, Bazar, Ryuk, and others.\r\nMany in the community have shared reporting about these operators and malware families (check out the end of\r\nthis blog post for links to some excellent reporting from other teams), so we wanted to focus narrowly on what\r\nwe’ve observed: BazarLoader/BazarBackdoor (which we’re collectively calling Bazar) used for initial access,\r\nfollowed by deployment of Cobalt Strike, and hours or days later, the potential deployment of Ryuk ransomware.\r\nWe have certainly seen TrickBot lead to Ryuk ransomware in the past. This month, however, we’ve observed\r\nBazar as a common initial access method, leading to our assessment that Bazar is a greater threat at this time for\r\nthe eventual deployment of Ryuk.\r\nWhat we’ve seen and how you can detect it\r\nhttps://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/\r\nPage 1 of 6\n\nWhile every ransomware outbreak can play out in different ways, we want to focus on the attack we saw in mid-October and stopped before ransomware was deployed. As we walk through this specific attack, we’ll identify\r\n10 detection opportunities that work for us—and we hope they’ll work for you too. This attack can serve as a\r\nfunctional example for what you might expect to see if you’re responsible for defending a healthcare organization.\r\nIf you’re interested in the MITRE ATT\u0026CK® techniques covered by this incident, check out the ATT\u0026CK\r\nNavigator layer here. You can learn more about ATT\u0026CK Navigator here.\r\nThis graphic provides an overall representation of how the attack unfolded. We’ll dive into the details, complete\r\nwith detection opportunities, below.\r\nhttps://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/\r\nPage 2 of 6\n\nhttps://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/\r\nPage 3 of 6\n\nInitial access came by way of a phishing email containing a PDF attachment. The user opened this attachment and\r\nclicked on a link in the PDF, which connected to Google Drive and downloaded a file named Report[mm]-\r\n[dd].exe (for example, the file name would be Report10-29.exe if the email was delivered on October 29).\r\nThis .exe is known as Bazar, which has different components known by the community as BazaLoader,\r\nBazarLoader, and BazarBackdoor.\r\nDetection Opportunity 1: Process hollowing of cmd.exe\r\nThis .exe file used process hollowing techniques to inject into cmd.exe . You can identify this process\r\nhollowing, as we did, by looking for instances of the Windows Command prompt ( cmd.exe ) executing without\r\nany command-line parameters and establishing a network connection. If that’s too noisy, you could try limiting the\r\nnetwork connections to port 443 or 53. You could also limit false positives by looking for child processes spawned\r\nby the hollowed cmd.exe process. Typical child processes associated with Bazar include: cmd.exe ,\r\nsvchost.exe , explorer.exe , nltest.exe , and net.exe , as shown in the process tree below.\r\nhttps://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/\r\nPage 4 of 6\n\nDetection Opportunity 2: Enumerating domain trusts activity with nltest.exe\r\nWe then observed several reconnaissance commands associated with Bazar. Specifically, we observed the\r\nadversary using nltest.exe to make domain trust determinations. While you probably can’t disable\r\nnltest.exe , looking for instances of it executing with a command line that includes /dclist:\u003cdomain\u003e ,\r\n/domain_trusts or /all_trusts has proven to be a very high-fidelity analytic for us to catch both Bazar (in\r\nthis incident) as well as TrickBot (in past incidents). In fact, based on this overlap, it appears likely that Bazar may\r\nbe reusing some code from TrickBot, which could lead to some confusion over which malware family is which.\r\nDetection Opportunity 3: Enumerating domain admins with net group\r\nWe also saw the adversary attempting to enumerate Windows domain administrator accounts, a behavior that we\r\ncommonly associate with ransomware operators. In particular, we find it useful to look for net group \"domain\r\nadmins\" /dom and net group \"domain admins\" /domain .\r\nDetection Opportunity 4: Process hollowing of explorer.exe\r\nDuring this phase, we also saw the adversary use process hollowing with both explorer.exe and svchost.exe .\r\nWe observed explorer.exe spawning svchost.exe —this isn’t normal, so you should look for that in your\r\nenvironment. More broadly, you can look for svchost.exe processes where the parent is not services.exe to\r\nidentify this and other malicious activity. (If you’ve never checked it out, we highly recommend looking at the\r\nSANS Hunt Evil poster!)\r\nhttps://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/\r\nPage 5 of 6\n\nAnother way we detected this activity was by looking for svchost.exe with no command-line options.\r\nLegitimate instances of svchost.exe should almost always have command-line options that include -k and the\r\nname of a service the process manages. Instances of svchost.exe with no command-line options are suspicious\r\nand may indicate that svchost.exe has been spawned to host injected code—like we saw in this incident.\r\nDetection Opportunity 5: Attempted lateral movement via WMI + PowerShell +\r\nCobalt Strike\r\nNext, a Cobalt Strike binary was dropped on the endpoint as a .dll file and executed by rundll32.exe . With\r\nthat, the intrusion began spreading laterally via Cobalt Strike. The operators used Windows Management\r\nInstrumentation (WMI) in their lateral movement attempt. WMI spawned cmd.exe , which subsequently spawned\r\nPowerShell with an encoded command line. This encoded PowerShell creates another Cobalt Strike Beacon.\r\nWe’ve found that looking for encoded PowerShell is a great way to catch this specific evil and a lot of other evil,\r\ntoo. In this incident, we saw a command line that began with:\r\nSource: https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/\r\nhttps://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia", "MITRE" ], "references": [ "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/" ], "report_names": [ "how-one-hospital-thwarted-a-ryuk-ransomware-outbreak" ], "threat_actors": [ { "id": "12211366-1f14-4eed-9d91-46b6a2ede618", "created_at": "2025-08-07T02:03:25.014713Z", "updated_at": "2026-04-10T02:00:03.624097Z", "deleted_at": null, "main_name": "GOLD ULRICK", "aliases": [ "Grim Spider ", "UNC1878 " ], "source_name": "Secureworks:GOLD ULRICK", "tools": [ "Bloodhound", "Buer Loader", "Cobalt Strike", "Conti", "Diavol", "PowerShell Empire", "Ryuk", "SystemBC", "Team9 (aka BazarLoader)", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "ab9d6b30-7c60-4d0b-8f49-e2e913c28508", "created_at": "2022-10-25T16:07:24.584775Z", "updated_at": "2026-04-10T02:00:05.042135Z", "deleted_at": null, "main_name": "UNC1878", "aliases": [], "source_name": "ETDA:UNC1878", "tools": [ "Agentemis", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "KEGTAP", "Ryuk", "Team9Backdoor", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "0a4f4edc-ea8c-4a30-8ded-35394e29de01", "created_at": "2023-01-06T13:46:39.178183Z", "updated_at": "2026-04-10T02:00:03.23716Z", "deleted_at": null, "main_name": "UNC1878", "aliases": [], "source_name": "MISPGALAXY:UNC1878", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434667, "ts_updated_at": 1775792170, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1483df4bd201075aef83f851d93741b092ce8c7b.pdf", "text": "https://archive.orkl.eu/1483df4bd201075aef83f851d93741b092ce8c7b.txt", "img": "https://archive.orkl.eu/1483df4bd201075aef83f851d93741b092ce8c7b.jpg" } }