HIPAA Journal has published a recent report detailing how a new ransomware group, ELENOR-corp, is actively targeting the healthcare sector with a sophisticated variant of Mimic ransomware. The attack was uncovered during an incident response investigation, where researchers linked the ransomware deployment to a prior infection involving Clipper malware—a Python-based clipboard hijacker used for credential theft. Clipper enabled persistent access to the victim’s environment, capturing daily user activity and running alongside a cryptocurrency miner. Approximately a week after the initial breach, ELENOR-corp deployed Mimic ransomware, moving laterally through the network using Remote Desktop Protocol (RDP) and tools like Process Hacker and IOBit Unlocker.
The attackers created local admin accounts and leveraged utilities such as NetScan for network mapping, Mimikatz for harvesting credentials, PEView for inspecting executables, and Mssm.exe to establish persistence. Stolen data was uploaded to Mega.nz using Microsoft Edge browsers. Mimic 7.5 introduces several advanced capabilities, including forced command-line access via the sticky-keys technique, encryption of remote network shares, destruction of backups and the Windows recovery environment, and unmounting of virtual drives to block data recovery. After encryption, a ransom note is displayed persistently—on the Desktop, via Notepad at reboot, and through the Windows login screen using modified registry keys. Morphisec recommends healthcare organizations secure RDP access with multi-factor authentication, monitor for signs of forensic tampering, and ensure offline backups of critical systems are maintained. For more information about ELENOR-Corp ransomware group, refer to the HIPAA Journal article.