HC3: Sector Alert TLP Clear Clop Allegedly Targets Healthcare Industry in Data Breach February 22, 2023

Executive Summary

Russia-linked ransomware group Clop reportedly took responsibility for a mass attack on more than 130 organizations, including those in the healthcare industry, using a zero-day vulnerability in secure file transfer software GoAnywhere MFT. Cybersecurity & Infrastructure Security Agency (CISA) added the GoAnywhere flaw (CVE-2023-0669) to its public catalog of Known Exploited Vulnerabilities. This Sector Alert follows previous HC3 Analyst Notes on Clop (CLOP Poses Ongoing Risk to HPH Organizations and CLOP Ransomware) and provides an update on its recent attack, potential new tactics, techniques and procedures (TTPs), and recommendations to detect and protect against ransomware attacks.

Report

Clop claimed attribution to the early February attack when it  informed the technology and computer tutorial website Bleeping Computer that it allegedly stole personal information and protected health information data over the course of 10 days. It also stated that it has the ability to encrypt affected healthcare systems by deploying ransomware payloads. The threat actor refused to provide any validation of its claims, and Bleeping Computer additionally could not independently confirm them. For now, while these claims are uncorroborated, Clop continues to exhibit a history of employing trend-setting TTPs across multiple operations.

HC3’s previous Clop Analyst Note observed that Clop was written to target Windows systems. Subsequently, on 26 December 2022, threat research website SentinelLabs observed the first Linux variant of Clop ransomware. While similar to the Windows variant, the threat actor constructed the bespoke Linux version using the same encryption method and similar process logic. The nascent Linux variant, however, has several flaws, which make it possible to decrypt locked files without paying a ransom. Regardless, the prevalent use of Linux in servers and cloud workloads makes it easy to suggest that Clop could employ this new ransomware campaign to target additional industries, including healthcare.

Clop (sometimes stylied as “Cl0p”) has been active since February 2019, with its first observed attack campaign run by the threat group, TA505. Its characteristic ransomware as a service (RaaS) TTP makes it one of the most successful ransomware groups in the past few years. Unlike other RaaS groups, Clop unabashedly and almost exclusively targets the healthcare sector. In 2021 alone, 77% (959) of its attack attempts were on this critical infrastructure industry. Clop appeared to suffer a major setback in June 2021 when law enforcement arrested six individuals in Ukraine linked to the group. Continued and successful attacks, however, demonstrate that this prolific group is still a viable threat to the healthcare sector.

This incident is by no means an isolated one to this industry. Healthcare is particularly vulnerable to cyberattacks, owing to their high propensity to pay a ransom, the value of patient records, and often inadequate security. In 2022, 24 hospitals and multihospital healthcare systems were attacked, and more than 289 hospitals were potentially impacted by ransomware attacks. Clop’s alleged attack this year only further exacerbates an ever-growing trend to target the healthcare industry, and highlights its vulnerabilities to future cyberattacks.

View the detailed report below.