| Report Date | 20 January, 2026 |
|---|---|
| Reported By | Ahmadou Ndiaye |
| Severity | HIGH |
| Escalated To | MyDFIR |
On January 14, 2026, at approximately 20:33 UTC, Windows Security telemetry recorded multiple successful authentication events (Event ID 4624) on VHR-WS-1.VHR.local using the domain account VHR\\j.wilson. These logons originated from an external public IP address (84[.]252[.]95[.]165) and utilized NTLM-based authentication, including both Network (Logon Type 3) and RemoteInteractive (Logon Type 10) logon types.
The presence of NTLM authentication and remote interactive access from an external IP to a workstation represents anomalous behavior within the environment and strongly suggests unauthorized access using compromised credentials. Shortly after these authentication events, suspicious user-level activity was observed on the system, marking the transition from initial access to post-exploitation activity.
Following successful access, the compromised user account was observed interacting with locally stored files, including plaintext notes, configuration files, and a KeePass password database (Passwords.kdbx). This sequence of activity indicates deliberate credential discovery and harvesting prior to broader network exploitation. Within minutes, the executable NHS_Spine_Certificate_Tool.exe was launched from the user’s Downloads directory. This binary originated from a phishing email impersonating a legitimate NHS Spine security update and served as the primary malware payload used to initiate the intrusion.
Subsequently, authentication events were observed for the VHR\\helpdesk account from the same external IP address (84.252.95.165). This indicates either credential reuse or successful credential harvesting during earlier stages of the intrusion. Using the helpdesk account, the attacker established persistence by creating a scheduled task and modified system registry settings to enable WDigest, allowing credentials to be stored in memory in cleartext.
With elevated privileges, the attacker conducted systematic domain discovery, enumerating domain users, groups, network shares, and domain controllers using native Windows command-line utilities. Based on this reconnaissance, the attacker moved laterally using valid credentials to critical infrastructure systems, including the domain controller (VHR-DC01) and backup server (VHR-BACKUP), via remote process execution.
In the later stages of the intrusion, persistent command-and-control access was established using outbound tunneling mechanisms. Sensitive organizational data was staged for exfiltration by copying shared resources, backups, and user data into centralized directories and compressing them into archive files. To obstruct detection and recovery, the attacker disabled antivirus protections, deleted volume shadow copies, stopped backup and database services, and cleared Windows event logs.
The incident culminated in the deployment of ransomware (warlock.exe) across multiple systems within the environment. This final stage rendered systems inoperable and permanently removed recovery mechanisms, significantly complicating restoration efforts. The observed activity reflects a deliberate, methodical intrusion lifecycle consistent with modern ransomware operations targeting Active Directory environments.
Initial access to the VHR.local Active Directory environment was obtained through a targeted phishing campaign that impersonated a legitimate NHS Spine security update. The phishing email was crafted to exploit user trust in NHS-branded communications and presented itself as an urgent security-related action. The email contained a compressed attachment named: NHS_Spine_ Security_Update.7z When extracted, the archive produced a malicious executable.