Analysis
Attacks and Vulnerabilities
Critical infrastructure
Malware, Phishing & Ransomware
Medical
News

After targeting water sector, HC3 confirms Clop ransomware attacks against healthcare organizations

January 05, 2023
After targeting water sector, HC3 confirms Clop ransomware attacks against healthcare organizations

The U.S. Department of Health & Human Services’ Health Sector Cybersecurity Coordination Center (HC3) confirmed that it is aware of attacks on the health and public health (HPH) sector by the Clop ransomware hacker group. The disclosure comes a few months after the Russian-based Cl0p ransomware hacker group breached water systems at the U.K. water supply company South Staffordshire.

“The Clop ransomware has been around since 2019, and even though the organization had several members arrested, its activity appeared to be uninterrupted,” the HC3 wrote in its analyst note on Wednesday. “However, the gang has had difficulties getting victims to payout on a ransom which has reportedly led to a change in their tactics that directly impacts the HPH sector.” 

The HC3 added that the group has been infecting files that are disguised to look like medical documents, submitting them to facilities, and then requesting a medical appointment in hopes of those malicious documents being opened and reviewed beforehand. “These attacks have a higher chance of working due to conditions from COVID-19 expansion in the telehealth environment,” it added. 

Operating under the Ransomware-as-service (RaaS) model, Clop was initially observed in 2019 and was a highly used ransomware in the market, typically exploiting organizations with a revenue of US$5 million or higher. Since its appearance, the HPH sector has been recognized as being a highly targeted industry for Clop ransomware. 

HC3 notes that Clop is the successor of the CryptoMix ransomware, which is believed to have been developed in Russia and used as a ‘popular payload’ for groups such as FIN11 and other Russian affiliates. “Like most ransomware groups, financial gain appears to be their primary goal, which they leverage through the use of the double extortion model. Through this technique, the threat actor will encrypt and exfiltrate sensitive information. Sensitive data will be released on their dark web leak site if payment is not made. This model is used so the actor can have additional leverage to help collect a ransom payment,” it added.

The appearance of Clop ransomware was expected to decline in 2021 after the arrest of six ransomware operators, HC3 notes. However, the malware continued to have non-stop activity through 2022. 

HC3 also said that the Clop ransomware has been observed to be a potential payload from the downloader malware, TrueBot. “Clop is designed to have not only have anti-analysis capabilities but also anti-virtual machine analysis to help prevent further investigations in an emulated environment,” it added. 

Clop was written to target Windows systems, and some reporting samples showcase that it is a Win32 executable written in C++. The executable packet is compressed, which helps hide its functionality. The ransomware encrypts files with an RSA 1024-bit public key with RC4 that uses 117 bytes of the public key. 

“Phishing emails have been a primary initial access vector for Clop, but reports have shown that it also exploits the following Common Vulnerabilities and Exposures (CVE): CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104, and CVE-2021-35211,” HC3 said. “Once a network has been compromised, they have been observed to use remote desktop protocols and deploying Cobalt Strike to aid in lateral movement. Finally, after encryption is complete, the victim will be able to access a dropped README.TXT, and the encrypted file’s extension will be changed to ‘Clop,’” it added. 

In the ransom note, HC3 stated that the Shadow Volume Copies have been deleted and the decryption key is only available from the group, claiming that all the files will be deleted after two weeks. 

Apart from the techniques outlined in its latest analyst note, the HC3 said that it continues to see attack vectors such as phishing, remote desktop protocol compromises and credential abuse, and compromises of exploited and other known vulnerabilities.

The latest note comes close to the heels of the HC3 revealing in December that it is closely tracking hacktivist groups that have previously affected various countries and industries, including the U.S. HPH sector. One of these hacktivist groups, called ‘KillNet,’ recently targeted a U.S. organization in the healthcare industry. 

“The group is known to launch DDoS attacks primarily targeting European countries perceived to be hostile to Russia, and operates multiple public channels aimed at recruitment and garnering attention from these attacks,” HC3 added in its note.

Earlier in December, the HC3 provided details of human-operated Royal ransomware, initially observed last year and now increased in appearance. It has demanded ransoms up to millions of dollars. Since its appearance, HC3 has been aware of attacks against the HPH sector.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base