HPH Sector Cautioned Regarding Clop Ransomware-as-a-Service Operation

The Health Sector Cybersecurity Coordination Center (HC3) has provided details about the Clop (Cl0p) ransomware-as-a-service operation. The affiliates of this group are identified to be performing attacks on the healthcare and public health (HPH) sector.

Clop ransomware was initially discovered in February 2019 and it replaced the CryptoMix ransomware. The group is very active and was seemingly not affected when six operators of the ransomware were arrested in 2021. Their activity proceeded regardless of the arrests. The Clop ransomware group was active all through 2022. There was one month wherein the group carried out attacks on 21 companies. The group usually attacks organizations with a yearly income above $10 million. It had demanded large ransom payments even if the attacks were done on smaller healthcare providers like doctors’ and dentists’ practices with earnings above $5 million.

The group employs double extortion strategies and steals sensitive information before file encryption and demands a ransom payment to stop publishing the stolen information and to get the keys for file decryption. Some attacks associated with the group just involved stealing of data and extortion. The group pushes through with its threats to post stolen information if it doesn’t receive the ransom payment, just like the attack on the pharmaceutical company ExecuPharm. The group’s leak site published the stolen emails, financial information, documents, and database files of the company.

The group works together with some other cybercriminal groups, which include the financially-driven threat group monitored as FIN11. A threat group connected to the Clop ransomware group was responsible for a string of attacks that took advantage of a vulnerability in the Accellion File Transfer Appliance (FTA) last December 2020. A number of healthcare providers were impacted and had their sensitive information exposed.

The tactics, techniques, and procedures employed by the Clop ransomware group affiliates are extremely diverse and are continuously changing. First access was initially acquired to victims’ systems by means of phishing, credential abuse, remote desktop compromise, and the exploitation of unpatched vulnerabilities. At the end of 2022, a number of attacks were carried out utilizing TrueBot malware to acquire preliminary access to systems.

The group knows healthcare IT systems and workflows very well which has aided the threat actor in successfully launching attacks on the HPH sector many times. In 2022, the group purportedly began having issues getting ransom payments which resulted in using different tactics. Intercepted communications among ransomware group members showed it had begun attacking medical practices that provide telehealth consultations. With these attacks, the affiliates sign up online as new patients and ask for telehealth services. They then send emails prior to their appointments and attach
files of medical images that have malicious code, hoping that the practices will open the files before the set appointments.

The Clop ransomware group is remarkably capable, well-financed, and prolific, and is known to present a considerable threat to the HPH industry.