Skip Navigation
BlackBerry Blog

The Clop Ransomware Gang: Sinister Attacks Against the Healthcare Industry

Whether it’s KillNet executing distributed denial-of-service (DDoS) attacks, or the Clop ransomware gang’s double extortion attacks, healthcare is especially vulnerable to the machinations of threat actors – as CISOs know too well. As mentioned in the 2022 Global Threat Intelligence Report, this is due to a combination of factors including the widespread use of medical hardware with a long service life, the complex and often interconnected nature of healthcare systems, and the vast amounts of sensitive data that are routinely collected and stored.

This article is intended to give CISOs a high-level snapshot of the Clop gang’s recent activities in the healthcare sector and provide actionable recommendations for strengthening defenses against Clop. Read the Clop Ransomware Threat Report for a more technical analysis of techniques, tactics, procedures, and countermeasures.

Clop’s Recent Activity Against Healthcare

The Department of Health and Human Services (HHS) recently issued an alert to the healthcare sector, warning that the Clop ransomware group is targeting healthcare facilities. The threat actors send ransomware-infected medical files — which appear to come from legitimate doctors — posing as the patient and requesting a medical appointment, in hopes staff will open and review the documents. Medical industry sources say these attacks have a higher chance ofsuccess these days, due to the COVID-19-related expansion of telehealth and virtual appointments.

John Riggi, the American Hospital Association’s national advisor for cybersecurity and risk, says the healthcare sector is caught in the middle of a virtual turf war, as ransomware actors battle for business. “As these primarily Russian-speaking foreign ransomware gangs compete for victims to exploit in their own highly competitive criminal subculture, they are forced to evolve their attack techniques,” says Riggi. “Here, the Clop ransomware gang has done so in a very sinister way.” He adds that healthcare staff need to be educated about this latest tactic.

There’s another reason threat groups like Clop target healthcare, according to Keiron Holyome, BlackBerry vice president for UK and Ireland. “Sadly, ransomware and information stealers are the most common type of malware used against the healthcare sector. BlackBerry threat reports have uncovered that globally, healthcare organizations are more likely to pay ransoms than any other industry, due to the critical nature of the targeted data.”

Holyome recommends that advanced email and endpoint protection controls be deployed across each organization, to serve as a layer of defense against Clop and other evolving cyberthreats targeting hospitals and health systems.

Clop Ransomware Gang Victim Profile: Distinguishing Characteristics

Clop is known to target organizations in the United States, Canada, Latin America, Asia Pacific, and Europe, especially those that generate revenue of $5 million or more annually.

Clop operates under the ransomware-as-service (RaaS) model and has been active for more than four years. Its operators and affiliates have targeted almost every industry sector, including retail, transportation and logistics, aerospace, education, automotive, manufacturing, telecommunications, energy, engineering, financial services, professional and legal services, high-tech industries, and most recently, healthcare and public health organizations.

Threat Risk & Impact

Targeting Windows® OS, BlackBerry threat researchers classify Clop as a high-impact, high-risk threat to organizations. The ransomware operators behind Clop are known for their multi-level extortion techniques and wide range of tools.

Clop ransomware stops hundreds of Windows processes so that it can encrypt the files associated with the processes. Clop comes equipped with anti-analysis and anti-virtual machine (VM) capabilities, and tries to disable anti-malware applications such as Windows Defender and Microsoft® Security Essentials before it starts the encryption routine. Once data encryption is complete, victims are shown the ransom note.

A key danger presented by Clop ransomware is its capability for data exfiltration, which sets victims up for double extortion. If the victim refuses to pay, the group may threaten to publicly disclose or sell selected data on the dark web until the ransom demand is met. This increases the threat actors’ leverage against the victim.

Read the Clop Ransomware Threat Report for a deep-dive technical analysis.

Proactive Steps to Take

The BlackBerry Research and Intelligence Team recommends that CISOs in the healthcare industry should consider taking the following measures and actions, as needed:

A managed XDR service, CylanceGUARD®  for example, provides 24x7x365, 360-degree monitoring of your operating environment, and regular assessments of your security posture. This bolsters prevention, mitigation, and communication, while freeing up limited in-house resources and reducing the risk of sustaining a damaging cyberattack.

  • According to a recent report, organizations with an in-house Incident Response (IR) team that regularly tested their IR plan – by using a red team and or penetration testing service for example – saw an associated average cost savings of $2.66 million, or 58%, compared with organizations without an IR team and that don’t test their IR plan.

If you don’t have an IR team or struggle to field the team size your organization needs, consider signing an IR team retainer. BlackBerry has been recognized by the Germany Federal Office for Information Security (BSI) as a qualified advanced persistent threat (APT) response service provider.

Final Thoughts

Financial, pharmaceutical, technology, energy; the healthcare industry outstrips all others when it comes to the average cost of a data breach reaching $10.10 million in 2022. However, it’s more than just numbers on an accounting sheet. Targeting the healthcare sector speaks to the ruthlessness of these criminals, whose geopolitical agendas and thirst for profits can very well exact a cost in lives as well as livelihoods. The BlackBerry® contextualized threat intelligence (CTI) and 7th generation cybersecurity AI help your organization proactively prepare and defend against these threats. Let’s get you back to what you do best, helping patients.

Send us an email at for more information about getting your own tailored CTI report.

For similar articles and news delivered straight to your inbox, please subscribe to the BlackBerry Blog.
David Steinberg-Zwirek

About David Steinberg-Zwirek

David Steinberg-Zwirek is an Editorial Intern at BlackBerry.