HC3: Clop Ransomware Group Preying on Healthcare Sector
Clop ransomware group has reportedly been infecting files that look like medical documents and subsequently requesting medical appointments in hopes of getting victims to open the malicious files.
Source: Getty Images
By Jill McKeon
- Although the group has been active since 2019, Clop ransomware appears to be shifting its tactics in ways that pose direct threats to the healthcare sector, the Health Sector Cybersecurity Coordination Center (HC3) warned in its latest analyst note.
HC3 noted that “the gang has had difficulties getting victims to payout on a ransom,” which has prompted Clop threat actors to change their tactics.
“The group has been infecting files that are disguised to look like medical documents, submitting them to facilities, and then requesting a medical appointment in hopes of those malicious documents being opened and reviewed beforehand.”
These attacks have been highly successful due to the expansion of telehealth throughout the COVID-19 pandemic, the analyst note suggested.
Clop operates under a Ransomware-as-a-Service (RaaS) model and typically targets organizations with an annual revenue of $5 million or higher. Clop is known to be the successor of CryptoMix ransomware, which is believed to have been developed in Russia.
“Like most ransomware groups, financial gain appears to be their primary goal, which they leverage through the use of the double extortion model,” the analyst note stated.
“Through this technique the threat actor will encrypt and exfiltrate sensitive information. Sensitive data will be released on their dark web leak site if payment is not made. This model is used so the actor can have additional leverage to help collect a ransom payment.”
A series of arrests connected to Clop ransomware in 2021 was expected to lead to a decline in activity from the group, but the malware continued to have “non-stop activity through 2022.”
Clop was designed to have anti-analysis capabilities. Threat actors typically use remote desktop protocols once a network has been compromised and then deploy Cobalt Strike to enable lateral movement.
Phishing remains a primary initial access vector, but Clop actors have also been known to exploit the following known vulnerabilities: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104, and CVE-2021-35211.
Healthcare organizations should remain vigilant and continue to defend against common attack vectors such as known vulnerabilities, credential abuse, and phishing.
