New ransomware threat with ties to Russia targets healthcare providers
The Department of Health and Human Services (HHS) has issued another brief about a significant ransomware threat to the healthcare industry. This time, the ransomware group was associated with Russia and managed to breach some major healthcare systems.
Known as Clop, the Russian-linked ransomware group has been responsible for a mass attack on more than 130 organizations, according to HHS. Community Health Systems (CHS), a Tennessee-based health system, is one healthcare organization that was recently impacted by a major cybersecurity attack through its third-party vendor Fortra. Protected health information and HIPAA protected information was exposed, the company said in a filing to the Securities and Exchange Commission (SEC).
For its mass attack, Clop used a zero-day vulnerability in secure file transfer software GoAnywhere MFT. The group took responsibility for the attacks when it informed “Bleeping Computer,” a technology and computer tutorial website, that it had stolen personal information and protected health information over a 10-day period.
“It also stated that it has the ability to encrypt affected healthcare systems by deploying ransomware payloads,” according to HHS.
However, the group did not provide proof it was behind the attacks. Analysis of the group’s actions found it may be written to target Windows systems, though the threat actor has another version using the same encryption method and similar process logic. Despite flaws that make it possible to decrypt locked files without paying a ransom, “Clop could employ this new ransomware campaign to target additional industries, including healthcare,” HHS said.
The group has been active since early 2019 and has “characteristic ransomware as a service (RaaS) TTP [that] makes it one of the most successful ransomware groups in the past few years,” according to HHS. Clop is one of several recent cybercriminal groups that have recently targeted the healthcare industry. Healthcare’s huge swath of personal health and protected information makes the industry a huge target for criminals aiming to steal the sensitive data and hold it for ransom.
“Healthcare is particularly vulnerable to cyberattacks, owing to their high propensity to pay a ransom, the value of patient records, and often inadequate security,” HHS said. “In 2022, 24 hospitals and multihospital healthcare systems were attacked, and more than 289 hospitals were potentially impacted by ransomware attacks.”
Unlike other ransomware groups, however, Clop almost exclusively targets the healthcare industry, HHS found. The majority––77%––of its attacks in 2021 targeted healthcare infrastructure. Clop likely suffered a major “setback” after six individuals associated with the group were arrested in Ukraine in June 2021, but the “prolific” group is still a serious threat.