On February 12, criminals used compromised credentials to remotely entry a Change Healthcare Citrix portal, an utility used to allow distant entry to desktops. The portal didn’t have multi-factor authentication. As soon as the risk actor gained entry, they moved laterally throughout the methods in additional refined methods and exfiltrated information. Ransomware was deployed 9 days later.