The Health Sector Cybersecurity Coordination Center (HC3) has identified Clop (Cl0p), a ransomware-as-a-service operation, as a threat to the healthcare and public health (HPH) sector. First spotted in February 2019, Clop is the successor to CryptoMix ransomware. Despite the arrest of six Clop operators in 2021, the malicious activity has not stopped, with 2021 seeing 21 organizations targeted in a single month. This ransomware is usually deployed against companies with annual revenues higher than $10 million, although smaller healthcare entities such as doctors’ and dentists’ offices with revenues over $5 million have also been targeted.
The Clop ransomware group employs double extortion tactics, where they steal sensitive data before encrypting files and demanding a ransom payment for both preventing public disclosure of the stolen data and for providing the keys to decrypt the files. In some attacks, only data theft and extortion were utilized. For example, the pharmaceutical giant ExecuPharm experienced this when emails, financial records, documents, and database backups were posted to the group’s leak site after the ransom was not paid. Clop works with multiple other cybercriminal groups, most notably FIN11, and in December 2020 they exploited a vulnerability in the Accellion File Transfer Appliance (FTA), targeting several healthcare providers and leaking sensitive data.
The modus operandi of the Clop ransomware gang’s affiliates is ever-changing. Reports in late 2022 showed that they had adopted TrueBot malware to gain entry into victims’ networks, often through phishing, remote desktop compromise, credential abuse, or exploiting unpatched vulnerabilities. They have an acute understanding of healthcare IT infrastructures and workflows, which enabled them to perform a number of successful attacks against the HPH sector. However, in 2022, their attempts to collect ransom payments reportedly became compromised, thus necessitating a shift. Intercepted conversations between members revealed that the gang began targeting medical practices offering telehealth services. They would register as new patients online and ask for consultations, then send emails with attachments that appeared to be medical images but actually contained malicious code, hoping that the files would be opened prior to the scheduled appointments.
The Clop ransomware is a serious threat to the healthcare industry, and its victims have suffered financial losses, reputational damage, and potential regulatory compliance violations. The gang’s strategy of targeting telehealth services is yet another example of the evolving threat landscape in the HPH sector. The HC3 is actively working to track and mitigate the evolving threats posed by Clop and other ransomware operations. Healthcare organizations should take proactive steps to combat this growing threat, including patching vulnerable systems, engaging in security training, and implementing multi-factor authentication. It is clear that the healthcare industry must stay vigilant and continue to invest in cybersecurity best practices in order to protect their data and systems from the Clop ransomware and other malicious actors.
