On Feb. 22, the Health Sector Cybersecurity Coordination Center (HC3) published a sector alert on the ransomware group Clop that reportedly took responsibility for a mass attack on more than 130 organizations, including those in the healthcare industry. The Russian-linked group is using a zero-day vulnerability in secure file transfer software GoAnywhere MFT.
We reported in January that HC3 published an analyst note on Clop ransomware. Clop operates under the Ransomware-as-a-Service (RaaS) model and HC3 is aware of attacks on the health and public health sector (HPH). The group was first observed in 2019 and targets organizations with a revenue of $5 million (USD) or higher.
The note says that “Clop claimed attribution to the early February attack when it informed the technology and computer tutorial website Bleeping Computer that it allegedly stole personal information and protected health information data over the course of 10 days. It also stated that it has the ability to encrypt affected healthcare systems by deploying ransomware payloads. The threat actor refused to provide any validation of its claims, and Bleeping Computer additionally could not independently confirm them. For now, while these claims are uncorroborated, Clop continues to exhibit a history of employing trend-setting TTPs across multiple operations.”
Further, “HC3’s previous Clop Analyst Note observed that Clop was written to target Windows systems. Subsequently, on 26 December 2022, threat research website SentinelLabs observed the first Linux variant of Clop ransomware. While similar to the Windows variant, the threat actor constructed the bespoke Linux version using the same encryption method and similar process logic. The nascent Linux variant, however, has several flaws, which make it possible to decrypt locked files without paying a ransom. Regardless, the prevalent use of Linux in servers and cloud workloads makes it easy to suggest that Clop could employ this new ransomware campaign to target additional industries, including healthcare.”
The note says that Clop almost exclusively targets the healthcare industry and in 2021, 77 percent of its attacks were on this industry. In June of 2021, six individuals linked to the group were arrested. However, continued attacks say that this group is still a threat.
In 2022, according to the note, 24 hospitals and multihospital systems were attacked and more than 289 hospitals were likely impacted by ransomware attacks.
The note adds that “Developers of the software initially warned clients of the remote code execution vulnerability in early February. However, prior to the delivery of an emergency patch, in order to view the initial security advisory, users had to create a (free) account in order to access the vulnerability report. The use of a customer portal to view the advistory was heavily criticized by cybersecurity experts. Ben Krebs, who first detected details of the zero-day vulnerability on 02 February, publicized its details and the full text of the security advisory on the social media sharing platform Mastodon. An emergency patch (Version 7.1.2) to the affected software was finally released on 07 February.
“The vulnerability (tracked as CVE-2023-0669) was added to CISA’s Known Exploited Vulnerabilities Catalog on 10 February. As of 15 February, CISA ordered all Federal civilian executive branch agencies to patch their systems before 03 March.”
The note also recommends that security teams implement steps including:
- Educating and training staff to reduce the risk of social engineering attacks through email and network access
- Assess enterprise risk against all potential vulnerabilities and implement a security plan with the necessary budget, staff, and tools
- Develop a cybersecurity roadmap that all members in the healthcare organization can comprehend
