Clop Ransomware Continues to Threaten Healthcare Sector, HC3 Warns

February 24, 2023 - Clop ransomware continues to pose a threat to healthcare and other sectors, the Health Sector Cybersecurity Coordination Center (HC3) warned in its most recent alert about the Russia-linked ransomware group.

Clop recently claimed that it conduced a mass cyberattack in February against more than 130 organizations, including healthcare entities. Clop informed Bleeping Computer that it had stolen protected health information (PHI) and other data and said that it had the ability to encrypt healthcare systems by deploying ransomware payloads.

However, the threat group refused to provide proof of its claims, and Bleeping Computer was unable to independently confirm them.

“For now, while these claims are uncorroborated, Clop continues to exhibit a history of employing trend-setting TTPs across multiple operations,” HC3 noted.

Clop Ransomware History

Clop has been active since at least February 2019 and has a reputation for aggressively targeting critical infrastructure.

“Unlike other RaaS groups, Clop unabashedly and almost exclusively targets the healthcare sector. In 2021 alone, 77% (959) of its attack attempts were on this critical infrastructure industry,” HC3 noted.

“Clop appeared to suffer a major setback in June 2021 when law enforcement arrested six individuals in Ukraine linked to the group. Continued and successful attacks, however, demonstrate that this prolific group is still a viable threat to the healthcare sector.”

In a previous alert, HC3 noted that Clop operates under a Ransomware-as-a-Service (RaaS) model and typically targets organizations with an annual revenue of $5 million or higher.

“Like most ransomware groups, financial gain appears to be their primary goal, which they leverage through the use of the double extortion model,” the January 2023 analyst note stated.

“Through this technique the threat actor will encrypt and exfiltrate sensitive information. Sensitive data will be released on their dark web leak site if payment is not made. This model is used so the actor can have additional leverage to help collect a ransom payment.”

GoAnywhere MFT Vulnerability

In its most recent series of attacks, Clop claimed to have leveraged a known vulnerability in Fortra’s GoAnywhere managed file transfer (MFT) solution (CVE-2023-0669). As previously reported, Franklin, Tennessee-based Community Health Systems (CHS) recently disclosed a data breach involving the GoAnywhere MFT vulnerability.

According to the vulnerability disclosure filing in the National Vulnerability Database (NVD), “GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object.”

In the case of CHS, exploitation of this vulnerability impacted approximately one million individuals’ personal information.

An emergency software patch (version 7.1.2) was released on February 7.

Mitigations

“This incident is by no means an isolated one to this industry. Healthcare is particuarly vulnerable to cyberattacks, owing to their high propensity to pay a ransom, the value of patient records, and often inadequate security,” HC3 noted.

“In 2022, 24 hospitals and multihospital healthcare systems were attacked, and more than 289 hospitals were potentially impacted by ransomware attacks. Clop’s alleged attack this year only further exacerbates an ever-growing trend to target the healthcare industry, and highlights its vulnerabilities to future cyberattacks.”

To mitigate risk, HC3 urged organizations to patch the GoAnywhere MFT vulnerability where applicable. HC3 also encouraged healthcare organizations to “acknowledge the ubiquitous threat of cyberwar against them” and focus on educating staff and assessing enterprise risk against all potential vulnerabilities.

“Prioritizing security by maintaining awareness of the threat landscape, assessing their situation, and providing staff with tools and resources necessary to prevent a cyberattack remains the best way forward for healthcare organizations,” HC3 concluded.