Ransomware Deployment After VPN Credential Abuse and Internal Reconnaissance

A human-operated ransomware intrusion was detected in a healthcare environment after attackers logged into a VPN using valid contractor credentials (svc-contractor-vpn) from 185.225.17.63, performed Windows discovery and lateral movement, deployed a payload named secure_backup.exe (SHA256: 6fd791fd8d79c9b66c4f4a0d18da9d1dc57c46f8bb0e8ef9d16d846fcbfca201), and encrypted files appending the .medlock extension while dropping HOW_TO_RESTORE.txt ransom notes.