ELENOR-corp Ransomware Targets Healthcare Sector

Posted on by

A new ransomware strain known as ELENOR-corp, identified as version 7.5 of the Mimic ransomware, has been used in a series of targeted attacks on the healthcare sector.

The campaign displays a range of advanced capabilities, including data exfiltration, persistent access and anti-forensic strategies designed to cripple recovery efforts and maximize damage.

What’s New in the ELENOR-corp Variant

This latest Mimic iteration introduces several novel functions. Firstly, it ensures command-line access regardless of system restrictions. This is a crucial step to leverage the sticky keys bypass technique, which enables remote command execution without user credentials. It also forcibly dismounts virtual drives, preventing hidden data storage in mounted environments.

Ransomware deployment is accompanied by persistent registry entries and a visible ransom demand at the Windows login screen. If .NET 4.0 is present, a GUI interface (gui40.exe) allows attackers to fine-tune encryption parameters. The executable is obfuscated to evade detection and complicate analysis.

Read more on ransomware persistence techniques: Ransomware Attackers Target Industries with Low Downtime Tolerance

A standout feature is ELENOR-corp’s aggressive evidence tampering. It deletes logs, file indexing histories and registry entries and uses fsutil commands to overwrite and delete its own binaries—limiting forensic recovery.

The malware also modifies power settings to boost encryption speed by disabling sleep and hibernation modes.

Broad Reach and Backup Deletion

To facilitate rapid spread across networks, ELENOR-corp enables parallel RDP sessions and overrides restrictions on concurrent logins.

Network shares—both public and hidden—are scanned using recursive enumeration and low-level socket functions. Target shares are added for encryption, with some administrative shares specifically excluded.

Backup deletion is another key tactic. By wiping the Windows backup catalog and Recycle Bin, ELENOR-corp ensures victims cannot restore data without significant manual intervention.

Key Techniques Used by ELENOR-corp

According to a new advisory published by Morphisec today, key techniques used by this ransomware are:

  • Credential harvesting via a clipper malware compiled in Python

  • RDP-based lateral movement using tools like NetScan and Mimikatz

  • Persistent file indexing and encrypted configuration templates

  • Upload of stolen data through Edge browsers to Mega.nz

  • Encryption of remote network shares using Windows APIs

  • Destruction of Windows Recovery Environment and system state backups

Security researchers recommend bolstering RDP configurations with MFA, monitoring for forensic tampering and maintaining offline backups.