Mayuresh Kothari of Sophos explains how a Conti offshoot is exploiting healthcare networks — and why proactive incident response is essential.
Recent cyberattacks on the UAE’s health sector have exposed the growing threat posed by ransomware groups targeting critical infrastructure. The latest incident, linked to the emerging Gunra group—believed to be a reconstitution of the dismantled Conti gang—used double extortion tactics involving the theft and encryption of sensitive personal and medical data. According to Mayuresh Kothari, Advisory Solution Principal at Sophos, the attackers exploited legitimate administrative tools to evade detection and launch a highly disruptive campaign.
In this interview with Tahawultech.com, Kothari explores the threat landscape, the importance of engaging expert incident response teams, and why proactive cybersecurity planning is essential. He also outlines how Sophos is helping organisations in the Middle East improve readiness through integrated solutions and local investment.
Interview Excerpts:
Could you provide an overview of the recent cyberattacks targeting the UAE health sector?
Based on publicly available information from X (formerly Twitter) and claims made by the threat group on leak sites, this incident appears to be a form of double extortion. The threat actor was able to first circumvent the security controls to establish presence in the network before starting to identify critical data, exfiltrate it out and lastly, encrypt. Since the threat actor claims to have stolen millions of records containing PII, PCI, and healthcare data, the potential consequences of this exposure are serious. The ransom demand includes payment for both data decryption and to prevent the public release of the stolen information.
Can you share more information about the threat group responsible?
The threat actor group known as Gunra has been active since early this year. Indicators suggest that this group has emerged from the remains of the Conti ransomware group, which was recently disrupted by law enforcement agencies. At Secureworks, we have classified Conti under the codename Gold Ulrick. Their modus operandi involves leveraging windows administrator tools to hide malicious activities prior to conducting extortion operations.
What actions should organisations under attack take to effectively mitigate the impact of incidents like these?
This is a complex issue without a simple solution. To begin with, impacted organisations should engage professional incident response (IR) teams with comprehensive expertise in all aspects of managing such incidents. For instance, Secureworks, now part of Sophos, offers specialised services tailored to these needs. When an organization engages us during an active incident, we begin by identifying the root cause or patient zero of the attack and then remove the threat actor and any associated artifacts. We also provide guidance to prevent future attacks. Our support extends to ransom negotiation, regulatory and communication advice around disclosure or with regulators, and establishing a long-term response program.
Is this the only approach, or are there preventative measures organisations can implement today to proactively defend against such threats?
Cybersecurity is a multi-faceted discipline that organisations must approach as an ongoing program, one that is regularly reviewed, tested, improved, and repeated. Numerous frameworks today help assess the maturity and effectiveness of such programs. However, cybersecurity is always a team effort. It cannot be done in isolation. The foundation begins with strong preventative and policy enforcement controls. Take Sophos Endpoint Protection and Firewalls, for example. With nearly 40 years of experience delivering cutting-edge security controls, our approach known as Synchronised Security provides integrated, highly efficient protection. However, prevention is just the starting point. We must always hope for the best but prepare for the worst. That’s where detection-based mechanisms become essential such as Vulnerability Management, Endpoint Detection and Response (EDR), and Managed Detection and Response (MDR). And even then, the process isn’t complete.
“Cybersecurity must be treated as a continuous program. This is where our Proactive Incident Response services lead the way, ensuring organisations are not just reacting to threats, but actively preparing for them.”
What do you mean by Proactive Incident Response? Isn’t incident response typically a reactive process?Incident Response (IR) is not just the act of responding to a threat after it occurs. It also involves preparing for potential incidents in advance. This means having plans in place, conducting regular testing, and clearly defining the initial steps to be taken in the event of an attack. To put it into perspective, think of how emergency response works in the real world. Many workplaces designate first responders who wear high visibility jackets and helmets so they can be easily identified during an emergency. These individuals are trained to use fire extinguishers, guide people to exits, and manage the initial response to a crisis. Cyber IR functions in the same way. Proactive services often delivered through a retainer focuses on this preparedness. It involves training internal first response teams on the actions to take during an incident: how to contain the threat, prevent its spread, and reduce the risk of data exfiltration. Beyond training, proactive retainers help organisations establish and review their incident response plans, define industry-specific playbooks, and conduct both technical and non-technical exercises. These activities help security teams identify gaps in their current processes and improve their overall readiness.
How does Sophos differentiate itself from other vendors offering similar solutions?
We are uniquely positioned to provide end-to-end solutions with tried and test capabilities across endpoint, network, cloud and services. Our secure by design and practice approach has consistently delivered results, and we remain committed to supporting the region through continued investment. Our latest initiative is the launch of a dedicated data center in the UAE, which will enable us to meet local data residency requirements while continuing to provide world-class security solutions tailored to our customers’ needs.
