New ransomware threat with ties to Russia targets healthcare providers

The Department of Health and Human Services (HHS) has issued another brief about a significant ransomware threat to the healthcare industry. This time, the ransomware group was associated with Russia and managed to breach some major healthcare systems.

Known as Clop, the Russian-linked ransomware group has been responsible for a mass attack on more than 130 organizations, according to HHS. Community Health Systems (CHS), a Tennessee-based health system, is one healthcare organization that was recently impacted by a major cybersecurity attack through its third-party vendor Fortra. Protected health information and HIPAA protected information was exposed, the company said in a filing to the Securities and Exchange Commission (SEC).

For its mass attack, Clop used a zero-day vulnerability in secure file transfer software GoAnywhere MFT. The group took responsibility for the attacks when it informed “Bleeping Computer,” a technology and computer tutorial website, that it had stolen personal information and protected health information over a 10-day period.

“It also stated that it has the ability to encrypt affected healthcare systems by deploying ransomware payloads,” according to HHS.

However, the group did not provide proof it was behind the attacks. Analysis of the group’s actions found it may be written to target Windows systems, though the threat actor has another version using the same encryption method and similar process logic. Despite flaws that make it possible to decrypt locked files without paying a ransom, “Clop could employ this new ransomware campaign to target additional industries, including healthcare,” HHS said.

The group has been active since early 2019 and has “characteristic ransomware as a service (RaaS) TTP [that] makes it one of the most successful ransomware groups in the past few years,” according to HHS. Clop is one of several recent cybercriminal groups that have recently targeted the healthcare industry. Healthcare’s huge swath of personal health and protected information makes the industry a huge target for criminals aiming to steal the sensitive data and hold it for ransom.

“Healthcare is particularly vulnerable to cyberattacks, owing to their high propensity to pay a ransom, the value of patient records, and often inadequate security,” HHS said. “In 2022, 24 hospitals and multihospital healthcare systems were attacked, and more than 289 hospitals were potentially impacted by ransomware attacks.”

Unlike other ransomware groups, however, Clop almost exclusively targets the healthcare industry, HHS found. The majority––77%––of its attacks in 2021 targeted healthcare infrastructure. Clop likely suffered a major “setback” after six individuals associated with the group were arrested in Ukraine in June 2021, but the  “prolific” group is still a serious threat.

Amy Baxter

Amy joined TriMed Media as a Senior Writer for HealthExec after covering home care for three years. When not writing about all things healthcare, she fulfills her lifelong dream of becoming a pirate by sailing in regattas and enjoying rum. Fun fact: she sailed 333 miles across Lake Michigan in the Chicago Yacht Club "Race to Mackinac."

Around the web

The tirzepatide shortage that first began in 2022 has been resolved. Drug companies distributing compounded versions of the popular drug now have two to three more months to distribute their remaining supply.

The 24 members of the House Task Force on AI—12 reps from each party—have posted a 253-page report detailing their bipartisan vision for encouraging innovation while minimizing risks. 

Merck sent Hansoh Pharma, a Chinese biopharmaceutical company, an upfront payment of $112 million to license a new investigational GLP-1 receptor agonist. There could be many more payments to come if certain milestones are met.