Stopped Ransomware Before Impact

Challenge

A healthcare organization relied on a claims processing portal protected by traditional multi-factor authentication (MFA).

Unit6 discovered that a ransomware-linked threat actor had obtained not only valid credentials for the portal, but also the MFA secret required to bypass authentication entirely.

The actor had already verified access and was preparing to move deeper into the environment.

Without intervention, the compromised account could have provided access to patient-linked financial records, claims data, and systems commonly targeted during ransomware operations.

What Unit6 Found

Unit6 identified valid credentials for an active portal user, the corresponding MFA seed used to generate authentication codes, evidence that the credentials had already been successfully tested, and indicators linking the access to ransomware-related activity.

This discovery originated from Unit6’s external intelligence collection and actor monitoring capabilities rather than internal security alerts.

Response

Working alongside the security team, Unit6 helped disable the compromised account, invalidate exposed MFA secrets, force secure re-enrollment of affected users, deploy phishing-resistant authentication for high-risk accounts, and strengthen monitoring and access controls around the portal.

The organization also reviewed historical activity to ensure no data had been accessed and no persistence mechanisms had been established.

Outcome

The attack path was eliminated before ransomware deployment or patient data exposure occurred.

The healthcare provider strengthened its identity security program, replaced vulnerable authentication methods, and gained confidence that a high-risk compromise had been neutralized before it became a reportable incident.

Why Unit6

Traditional security tools focus on detecting activity after attackers arrive.

Unit6 identified the compromise while the adversary was still preparing for the next phase of the attack.

By combining external threat intelligence, credential exposure monitoring, and adversary-focused visibility, Unit6 enabled the organization to act before patient records, operations, or reputation were impacted.