Article

US Government Alerts of Imminent Attacks Against the Healthcare Sector by Trickbot Group

Nov 3, 2020

Arete Analysis

Red digital warning symbol glowing on a circuit board interface, representing active ransomware exploitation of the VMware ESXi CVE 2025 22225 vulnerability and hypervisor compromise.

Executive Summary

Last week, the Cybersecurity and Infrastructure Security Agency (CISA) in collaboration with the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) released the following alert: AA20-302A – Ransomware Activity Targeting the Healthcare and Public Health Sector.

The alert informs that there is credible intelligence of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers associated with the Trickbot and BazarLoader trojans that often leads to ransomware like the Ryuk and Conti ransomware. The alert also mentions the Trickbot Anchor tool set and Anchor DNS tool developed by this group.

News of these attacks against the Healthcare sector are of special concern due to the recent increase of COVID-19 cases in the US and evidence that shows ransomware attacks against the healthcare sector have been associated with persons losing their lives due to services being routed to nearby hospitals and laboratory results not being quickly delivered electronically to the providers.

Arete statistics and Intel from Arete’s Fusion Center and Open-source intelligence (OSINT) shows that this new wave of attacks since October 2020 have a slight change in TTPs and the BazarLoader malware has now been observed in systems compromised with Ryuk.

The Arete incident response (IR) practice has responded to more than ninety (90) Ryuk engagements since 2019 with more than six breach responses engagements just in the month of October 2020.

Based on Intelligence gathered from our DFIR cases, Arete’s Fusion Center had developed countermeasures deployed in the SentinelOne EDR platform to detect these threats and our Managed Detection and Response (MDR) team has been handling detections at our client’s sites.

This article is meant to share with the community Arete’s statistics and our assessment based on breach response engagements.

Statistical Data from Arete’s Metrics

The information listed below is based on Ryuk cases investigated by Arete IR since January 2019. Our IR and Data Analytics practices work together to track key data points for every ransomware engagement. Our IR practice tracks data points on the ransomware variant and collects statis-tics based on handled engagements:

Since 2019, Arete has responded to Ryuk cases in some of the following sectors:

Average duration of business downtime: 9.47 days
Average original ransom demand in bitcoin: 125.39 BTC
Average final ransom demand in bitcoin: 72.58 BTC
Average ransom demand paid in US dollars: $621,064.05
Minimum ransom demand paid in US dollars: $10,000.00
Maximum ransom demand paid in US dollars: $5,177,510.78
Remote access is the most common method of intrusion found 39.34% of the times
During the Ryuk dwell time this year, Arete responded to ten (10) Conti ransomware engagements

Ryuk Ransomware Overview

Since August 2018, a Russian-based cybercrime group has been operating a ransomware known as Ryuk (a customized version of Hermes commodity ransomware).

The industry saw a sudden drop of Ryuk, starting around the time that COVID-19 had its major impact in March 2020. This is also around the same time that a very similar, Conti ransomware, began to kick-off, leading many to believe that Conti was merely a rebrand of Ryuk. The data suggests though that it is possible that Conti was a failed rebrand since Arete IR has not been engaged with Conti infected clients since Ryuk attacks started again in October 2020.

Ryuk typically compromises networks through Trickbot, or Emotet then delivering Trickbot. Trickbot has recently been in the news in the cyber industry due to Microsoft’s approval via a court order to engage in disruption efforts of this botnet. With this active disruption campaign, it is possible that the sudden return and up-tick of Ryuk infections is due to the Russian cybercrime group acting in retaliation utilizing their more mature ransomware product, Ryuk, as opposed to the potentially rebranded, Conti, which could still have been in a testing phase. This is based on the sudden stop of Conti and up-rise of Ryuk in line with the disruption efforts from Microsoft.

According to Microsoft, they initially disabled sixty-two (62) of the initially identified sixty-nine (69) Trickbot servers. Almost immediately, fifty-nine (59) new servers were attempted to be added to the Trickbot infrastructure. As of October 20, 2020, fifty-eight (58) of the new servers have also been disabled leaving a total number of eight (8) known active Trickbot servers.

Ryuk Wave Crashing on US Healthcare

Of the more than ninety (90) total Ryuk ransomware engagements that Arete IR has led since May 2019, nineteen (19) of those engagements were for a client in the healthcare industry (23%). Out of the seven (7) engagements of Ryuk ransomware that Arete IR has led since it re-emerged in October 2020, the most recent case is the only client that is in the healthcare industry (14%). This evidence shows it is not typical for Ryuk attacks to be focused primarily on the healthcare industry. This could further backup the theory that the impending Ryuk wave of attacks on the healthcare

industry could be retaliation for Microsoft’s disruption campaign against the Trickbot infrastructure that Ryuk is known for utilizing for initial intrusion.

Recommendations

Install an Endpoint Detection and Response (EDR) solution with the capability to halt detected processes and isolate systems on the network, based on identified conditions
Block: Any known attacker C2s in the firewall; A high number of SMB connection attempts from one system to others in the network over a short period of time
Implement: A system enforced password policy to force users into changing passwords at least every 90 days; Multifactor authentication (MFA) on RDP and VPN access
If not needed, eliminate vulnerable RDP ports exposed to the internet
Perform: Dark web monitoring periodically to verify if data from the organization is available for sell in the black market; Penetration tests • Periodically patch systems and update tools
Monitor: Connections to the network from suspicious locations; Downloadsuploads of files to file sharing services over non-standard hours, not commonly used in the organization, etc; Uploads of files from Domain Controllers to the internet; Network scans from uncommon servers (e.g. RDP server)

Back to Blog Posts

Article

Mar 9, 2026

Ransomware Trends & Data Insights: February 2026

After a slight lull in January, Akira and Qilin returned to dominating ransomware activity in February, collectively accounting for almost half of all engagements that month. The rest of the threat landscape remained relatively diverse, with a mix of persistent threats like INC and PLAY, older groups like Cl0p and LockBit, and newer groups like BravoX and Payouts King. Given current trends, the first quarter of 2026 will likely remain relatively predictable, with the top groups from the second half of 2025 continuing to operate at fairly consistent levels month to month.

Figure 1. Activity from the top 5 threat groups in February 2026

Throughout the month of February, analysts at Arete identified several trends behind the threat actors perpetrating cybercrime activities:

In February, Arete observed Qilin actively targeting WatchGuard Firebox devices, especially those vulnerable to CVE-2025-14733, to gain initial access to victim environments. CVE-2025-14733 is a critical vulnerability in WatchGuard Fireware OS that allows a remote, unauthenticated threat actor to execute arbitrary code. In addition to upgrading WatchGuard devices to the latest Firebox OS version, which patches the bug, administrators are urged to rotate all shared secrets on affected devices that may have been compromised and may be used in future campaigns.
Reports from February suggest that threat actors are increasingly exploring AI-enabled tools and services to scale malicious activities, demonstrating how generative AI is being integrated into both espionage and financially motivated threat operations. The Google Threat Intelligence Group indicated that state-backed threat actors are leveraging Google’s Gemini AI as a force multiplier to support all stages of the cyberattack lifecycle, from reconnaissance to post-compromise operations. Separate reporting from Amazon Threat Intelligence identified a threat actor leveraging commercially available generative AI services to conduct a large-scale campaign against FortiGate firewalls, gaining access through weak or reused credentials protected only by single-factor authentication.
The Interlock ransomware group recently introduced a custom process-termination utility called “Hotta Killer,” designed to disable endpoint detection and response solutions during active intrusions. This tool exploits a zero-day vulnerability (CVE-2025-61155) in a gaming anti-cheat driver, marking a significant adaptation in the group’s operations against security tools like FortiEDR. Arete is actively monitoring this activity, which highlights the growing trend of Bring Your Own Vulnerable Driver (BYOVD) attacks, in which threat actors exploit legitimate, signed drivers to bypass and disable endpoint security controls.

Sources

Arete Internal

Article

Mar 3, 2026

ClickFix Campaign Delivers Custom RAT

Security researchers identified a sophisticated evolution of the ClickFix campaign that aims to compromise legitimate websites before delivering a five-stage malware chain, culminating in the deployment of MIMICRAT. MIMICRAT is a custom remote access trojan (RAT) written in the C/C++ programming language that offers various capabilities early in the attack lifecycle. The attack begins with victims visiting compromised websites, where JavaScript plugins load a fake Cloudflare verification that tricks users into executing a malicious PowerShell script, further displaying the prominence and effectiveness of ClickFix and its user interaction techniques.

Not Your Average RAT

MIMICRAT displays above-average defense evasion and sophistication, including:

A five-stage PowerShell sequence beginning with Event Tracing for Windows and Anti-Malware Scan Interface bypasses, which are commonly used in red teaming for evading detection by EDR and AV toolsets.
The malware later uses a lightweight scripting language that is scripted into memory, allowing malicious actions without files that could easily be detected by an EDR tool.
MIMICRAT uses malleable Command and Control profiles, allowing for a constantly changing communication infrastructure.
The campaign uses legitimate compromised infrastructure, rather than attacker-owned tools, and is prepped to use 17 different languages, which increases global reach and defense evasion.

Analyst Comments

The ClickFix social engineering technique remains an effective means for threat actors to obtain compromised credentials and initial access to victim environments, enabling them to deploy first-stage malware. Coupled with the sophisticated MIMICRAT RAT, the effectiveness of this campaign could increase. Arete will continue monitoring for changes to the ClickFix techniques, the deployment of MIMICRAT in other campaigns, and other pertinent information relating to the ongoing campaign.

Sources

MIMICRAT: ClickFix Campaign Delivers Custom RAT via Compromised Legitimate Websites

Article

Feb 20, 2026

Threat Actors Leveraging Gemini AI for All Attack Stages

State-backed threat actors are leveraging Google’s Gemini AI as a force multiplier to support all stages of the cyberattack lifecycle, from reconnaissance to post-compromise operations. According to the Google Threat Intelligence Group (GTIG), threat actors linked to the People’s Republic of China (PRC), Iran, North Korea, and other unattributed groups have misused Gemini to accelerate target profiling, synthesize open-source intelligence, identify official email addresses, map organizational structures, generate tailored phishing lures, translate content, conduct vulnerability testing, support coding tasks, and troubleshoot malware development. Cybercriminals are increasingly exploring AI-enabled tools and services to scale malicious activities, including social engineering campaigns such as ClickFix, demonstrating how generative AI is being integrated into both espionage and financially motivated threat operations.

What’s Notable and Unique

Threat actors are leveraging Gemini beyond basic reconnaissance, using it to generate polished, culturally nuanced phishing lures and sustain convincing multi-turn social engineering conversations that minimize traditional red flags.
In addition, threat actors rely on Gemini for vulnerability research, malware debugging, code generation, command-and-control development, and technical troubleshooting, with PRC groups emphasizing automation and vulnerability analysis, Iranian actors focusing on social engineering and malware development, and North Korean actors prioritizing high-fidelity target profiling.
Beyond direct operational support, adversaries have abused public generative AI platforms to host deceptive ClickFix instructions, tricking users into pasting malicious commands that deliver macOS variants of ATOMIC Stealer.
AI is also being integrated directly into malware development workflows, as seen with CoinBait’s AI-assisted phishing kit capabilities and HonestCue’s use of the Gemini API to dynamically generate and execute in-memory C# payloads.
Underground forums show strong demand for AI-powered offensive tools, with offerings like Xanthorox falsely marketed as custom AI but actually built on third-party commercial models integrated through open-source frameworks such as Crush, Hexstrike AI, LibreChat-AI, and Open WebUI, including Gemini.

Analyst Comments

The increasing misuse of generative AI platforms like Gemini highlights a rapidly evolving threat landscape in which state-backed and financially motivated actors leverage AI as a force multiplier for reconnaissance, phishing, malware development, and post-compromise operations. At the same time, large-scale model extraction attempts and API abuse demonstrate emerging risks to AI service integrity, intellectual property, and the broader AI-as-a-Service ecosystem. While these developments underscore the scalability and sophistication of AI-enabled threats, continued enforcement actions, strengthened safeguards, and proactive security testing by providers reflect ongoing efforts to mitigate abuse and adapt defenses in response to increasingly AI-driven adversaries.

Sources

GTIG AI Threat Tracker: Distillation, Experimentation, and (Continued) Integration of AI for Adversarial Use

Article

Feb 12, 2026

2025 VMware ESXi Vulnerability Exploited by Ransomware Groups

Ransomware groups are actively exploiting CVE‑2025‑22225, a VMware ESXi arbitrary write vulnerability that allows attackers to escape the VMX sandbox and gain kernel‑level access to the hypervisor. Although VMware (Broadcom) patched this flaw in March 2025, threat actors had already exploited it in the wild, and CISA recently confirmed that threat actors are exploiting CVE‑2025‑22225 in active campaigns.

What’s Notable and Unique

Chinese‑speaking threat actors abused this vulnerability at least a year before disclosure, via a compromised SonicWall VPN chain.
Threat researchers have observed sophisticated exploit toolkits, possibly developed well before public disclosure, that chain this bug with others to achieve full VM escape. Evidence points to targeted activity, including exploitation via compromised VPN appliances and automated orchestrators.
Attackers with VMX level privileges can trigger a kernel write, break out of the sandbox, and compromise the ESXi host. Intrusions observed in December 2025 showed lateral movement, domain admin abuse, firewall rule manipulation, and staging of data for exfiltration.
CISA has now added CVE-2025-22225 to its Known Exploited Vulnerabilities (KEV) catalog, underscoring ongoing use by ransomware attackers.

Analyst Comments

Compromise of ESXi hypervisors significantly amplifies operational impact, allowing access to and potential encryption of dozens of VMs simultaneously. Organizations running ESXi 7.x and 8.x remain at high risk if patches and mitigations have not been applied. Therefore, clients are recommended to apply VMware patches from VMSA‑2025‑0004 across all ESXi, Workstation, and Fusion deployments. Enterprises are advised to assess their setups in order to reduce risk, as protecting publicly accessible management interfaces is a fundamental security best practice.

Sources

CVE-2025-22225 in VMware ESXi now used in active ransomware attacks
The Great VM Escape: ESXi Exploitation in the Wild
VMSA-205-004: VMware ESXi, Workstation, and Fusion updates address multiple vulnerabilities (CVE-205-22224, CVE-2025-22225, CVE-2025-22226)