Two weeks ago Minerva Labs introduced its innovative Minerva Anti-Evasion Platform to the healthcare industry at the Health IT Summit, Boston 2016. During the last couple of decades, the healthcare industry went through an end to end transformation – integrating advanced computer solutions almost in all of their services.

Unfortunately, cyber-criminals are always looking for new opportunities – and this sector became a prime target for them as the FBI warned in a Private Industry Notification back in 2014. This alert was not in vain, as the incidents described below proved later in 2015 and 2016.

Ransomware Targeting a Medical Center

The Hollywood Presbyterian Medical Center experienced a ransomware attack last February, possibly the first attack of this kind against a medical facility. The hospital’s CEO surrendered to the ransom demand and paid a “”mere”” $17,000 in bitcoin. Luckily, the hospital regained access to the encrypted files soon after the transaction was completed, and resumed normal operations. We can only imagine the potential damage if they weren’t able to restore the files – causing not only direct financial losses to the hospital but also a possible threat to patients’ lives, preventing access to their medical files in critical, time-sensitive, conditions.

Sophisticated APTs and POS Scrapers

Although ransomware is a hot-button issue nowadays, we should keep in mind it is just one “”flavor”” in the current threat landscape. Many other severe risks for the healthcare industry are out there. The super-sophisticated Andromeda APT is a great example for such a threat. This state-of-the-art malware, capable of anything from simple data exfiltration to deploying customized modules, has hit the healthcare industry “”14 times more than the average industry“” as a report by Raytheon mentioned. TrendMicro’s researches unveiled a possible reason for the intensity of the attacks – a point-of-sale (POS) scraping module Andromeda is able to deploy if it reaches such a device.

Minerva Anti-Evasion Platform Benefits

In order to bypass modern security solutions malware often implements “”evasion techniques””, testing if it is executed inside a sandbox or if high-end security solutions are present. Minerva’s innovative technology makes the malware “”believe”” it is executed in such hostile environment by simulating thousands of artifacts searched by environmentally-aware malware.

Andromeda for example checks prior to the execution of its malicious modules if the environment is safe by checking a blacklist of over twenty “”bad”” processes. If any of these processes are present it means that the sample landed on either a sandbox or a security researcher’s machine – where it should avoid malicious activities. This is the actual list of blacklisted processes as published by the security researcher Jose Miguel Esparza:

Minerva’s solution simulates all of those processes, and many others – causing Andromeda to halt its execution without any damage to the victim. You may also see how malware authors enhance the evasiveness of their “”product”” by continuously adding more and more blacklisted processes – thus, making our job even easier. All we need is to simulate a single process as the malware will terminate if any one of them is present. We were able to obtain eighteen Andromeda malware samples, disguising as a software related to a large vendor of practice management and electronic health record software. All of the samples immediately terminated when Minerva simulated them a threatening environment (see hashes in the IOCs section).

This behavior is typical to many strains of malware, including ransomware, however not all of the ransomware families are evasive. Seeing the devastating potential outcome of a successful ransomware attack we developed a module designed to remediate the damages of such an attack. It enables the ransomware victim to regain access to encrypted files with a single mouse click. This is achieved using our existing infrastructure and without relying on third-party software or the Windows Volume Shadow Copy Service as others do.

Minerva’s platform was developed in a way which is oblivious to the type of the executed malware – we simply wait for it to ask “”suspicious”” questions about the environment. This is yet another great advantage against any kind of malware, enabling our solution to prevent a wide variety of malware while consuming next to zero resources. We can handle anything: from windows executables to Java archives (jar) and even fileless malware snooping around for the presence of anti-exploitation products.

Lately we witnessed how important this feature is in “”the ransomware front”” as well. New ransomware families are using “”creative”” formats – like the recent RAA ransomware which was implemented in pure JavaScript. Other products chase trends like this while our innovative product enables us to prevent and remediate threats as the RAA ransomware without the need for frequent updates.


Hashes (SHA256) of healthcare-related Andromeda\Gamarue malware samples: