Clop, the notorious ransomware group, is reportedly targeting the healthcare industry in a new data breach, according to an HC3 Sector alert. The group claims to have stolen personal and protected health information data over a 10-day period and has the ability to encrypt affected healthcare systems using ransomware payloads. While the claims are unverified, Clop has a history of employing trend-setting techniques across multiple operations and has become one of the most successful ransomware groups in recent years.
HC3’s previous Clop Analyst Note revealed that the ransomware group primarily targets Windows systems, but a new Linux variant was observed in December 2022. Despite the nascent Linux variant having several flaws that make it possible to decrypt locked files without paying a ransom, Clop could use this new ransomware campaign to target additional industries, including healthcare. The healthcare industry is particularly vulnerable to cyberattacks, with the value of patient records making it a prime target.
The healthcare industry has experienced a growing trend of cyberattacks in recent years. According to the HC3, 24 hospitals and multihospital healthcare systems were attacked, and more than 289 hospitals were potentially impacted by ransomware attacks in 2022. The threat from Clop highlights the vulnerabilities of the healthcare industry to future cyberattacks.
Clop is known for its characteristic ransomware as a service (RaaS) TTP and has become one of the most successful ransomware groups in recent years. Unlike other RaaS groups, Clop unabashedly and almost exclusively targets the healthcare sector. In 2021 alone, 77% (959) of its attack attempts were on this critical infrastructure industry. However, the group appeared to suffer a major setback in June 2021 when law enforcement arrested six individuals in Ukraine linked to the group. Despite this setback, the recent data breach highlights that the group is still a viable threat to the healthcare sector.
The vulnerabilities exploited by Clop include a zero-day vulnerability in GoAnywhere MFT, which contains a pre-authentication remote code execution vulnerability in the License Response Servlet due to deserializing an attacker-controlled object. Developers of the software warned clients of the vulnerability in early February, but prior to the delivery of an emergency patch, users had to create a (free) account to view the initial security advisory. The use of a customer portal to view the advisory was heavily criticized by cybersecurity experts.
An emergency patch (Version 7.1.2) to the affected software was finally released on February 7, and the vulnerability (tracked as CVE-2023-0669) was added to CISA’s Known Exploited Vulnerabilities Catalog on February 10. As of February 15, CISA ordered all Federal civilian executive branch agencies to patch their systems before March 3.
Despite the vulnerabilities exploited by Clop being addressed, the ransomware group remains a significant threat to the healthcare industry. It is crucial for healthcare organizations to prioritize cybersecurity measures to prevent cyberattacks, including implementing robust risk assessments, educating and training staff to reduce the risk of social engineering attacks, and providing the necessary tools, budget, and resources to prepare for and respond to ransomware attacks proactively and reactively. Moreover, organizations in the healthcare industry can access online government resources from the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) to better protect the personal information of patients and reduce the risk of data breaches.