HPH Sector Warned About Clop Ransomware-as-a-Service Operation
The Health Sector Cybersecurity Coordination Center (HC3) has shared information on the Clop (Cl0p) ransomware-as-a-service operation, the affiliates of which are known to conduct attacks on the healthcare and public health (HPH) sector.
Clop ransomware was first detected in February 2019 and is the successor to CryptoMix ransomware. The group is highly active and was apparently unaffected by the arrest of six operators of the ransomware in 2021, with activity continuing despite the arrests. The group was active throughout 2022, with one month seeing the group conduct attacks on 21 organizations. The group typically targets organizations with annual revenues in excess of $10 million, which allows large ransom payments, to be demanded although attacks have been conducted on smaller healthcare organizations such as doctors’ and dentists’ offices with revenues over $5 million.
The group uses double extortion tactics, where sensitive data are stolen prior to file encryption and a ransom payment is necessary to prevent the publication of the stolen data and to obtain the keys to decrypt files. Some attacks linked to the group have only involved data theft and extortion. The group follows through on its threats to publish stolen data when the ransom is not paid, as was the case with the attack on the pharmaceutical giant ExecuPharm, where emails, financial records, documents, and database backups were posted on the group’s leak site.
The group works with several other cybercriminal groups, including the financially-motivated threat group tracked as FIN11. A threat group with ties to the Clop ransomware group was behind a series of attacks that exploited a vulnerability in the Accellion File Transfer Appliance (FTA) in December 2020. Several healthcare providers were affected and had sensitive data leaked.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The tactics, techniques, and procedures used by affiliates of the Clop ransomware gang are highly varied and are constantly changing. Initial access is known to have been gained to victims’ networks through phishing, remote desktop compromise, credential abuse, and the exploitation of unpatched vulnerabilities. In late 2022, several attacks were conducted using TrueBot malware to gain initial access to networks.
The group has a good understanding of healthcare IT systems and workflows which has helped the threat actor to conduct several successful attacks on the HPH sector. In 2022, the group allegedly started having difficulties collecting ransom payments which led to a change in tactics. Intercepted communications between group members revealed it had started targeting medical practices that offer telehealth services. In these attacks, the affiliates register as new patients online and request telehealth consultations. Emails are then sent ahead of the appointments with file attachments masquerading as medical images that contain malicious code, in the hope that the files will be opened ahead of the arranged appointments.
The Clop ransomware gang is highly capable, well-funded, and prolific, and is considered to pose a significant threat to the HPH sector.
