The Clop Ransomware Gang: Sinister Attacks Against the Healthcare Industry

Whether it’s KillNet executing distributed denial-of-service (DDoS) attacks, or the Clop ransomware gang’s double extortion attacks, healthcare is especially vulnerable to the machinations of threat actors – as CISOs know too well. As mentioned in the 2022 Global Threat Intelligence Report, this is due to a combination of factors including the widespread use of medical hardware with a long service life, the complex and often interconnected nature of healthcare systems, and the vast amounts of sensitive data that are routinely collected and stored.

This article is intended to give CISOs a high-level snapshot of the Clop gang’s recent activities in the healthcare sector and provide actionable recommendations for strengthening defenses against Clop. Read the Clop Ransomware Threat Report for a more technical analysis of techniques, tactics, procedures, and countermeasures.

Clop’s Recent Activity Against Healthcare

The Department of Health and Human Services (HHS) recently issued an alert to the healthcare sector, warning that the Clop ransomware group is targeting healthcare facilities. The threat actors send ransomware-infected medical files — which appear to come from legitimate doctors — posing as the patient and requesting a medical appointment, in hopes staff will open and review the documents. Medical industry sources say these attacks have a higher chance ofsuccess these days, due to the COVID-19-related expansion of telehealth and virtual appointments.

John Riggi, the American Hospital Association’s national advisor for cybersecurity and risk, says the healthcare sector is caught in the middle of a virtual turf war, as ransomware actors battle for business. “As these primarily Russian-speaking foreign ransomware gangs compete for victims to exploit in their own highly competitive criminal subculture, they are forced to evolve their attack techniques,” says Riggi. “Here, the Clop ransomware gang has done so in a very sinister way.” He adds that healthcare staff need to be educated about this latest tactic.

There’s another reason threat groups like Clop target healthcare, according to Keiron Holyome, BlackBerry vice president for UK and Ireland. “Sadly, ransomware and information stealers are the most common type of malware used against the healthcare sector. BlackBerry threat reports have uncovered that globally, healthcare organizations are more likely to pay ransoms than any other industry, due to the critical nature of the targeted data.”

Holyome recommends that advanced email and endpoint protection controls be deployed across each organization, to serve as a layer of defense against Clop and other evolving cyberthreats targeting hospitals and health systems.

Clop Ransomware Gang Victim Profile: Distinguishing Characteristics

Clop is known to target organizations in the United States, Canada, Latin America, Asia Pacific, and Europe, especially those that generate revenue of $5 million or more annually.

Clop operates under the ransomware-as-service (RaaS) model and has been active for more than four years. Its operators and affiliates have targeted almost every industry sector, including retail, transportation and logistics, aerospace, education, automotive, manufacturing, telecommunications, energy, engineering, financial services, professional and legal services, high-tech industries, and most recently, healthcare and public health organizations.

Threat Risk & Impact

Targeting Windows® OS, BlackBerry threat researchers classify Clop as a high-impact, high-risk threat to organizations. The ransomware operators behind Clop are known for their multi-level extortion techniques and wide range of tools.

Clop ransomware stops hundreds of Windows processes so that it can encrypt the files associated with the processes. Clop comes equipped with anti-analysis and anti-virtual machine (VM) capabilities, and tries to disable anti-malware applications such as Windows Defender and Microsoft® Security Essentials before it starts the encryption routine. Once data encryption is complete, victims are shown the ransom note.

A key danger presented by Clop ransomware is its capability for data exfiltration, which sets victims up for double extortion. If the victim refuses to pay, the group may threaten to publicly disclose or sell selected data on the dark web until the ransom demand is met. This increases the threat actors’ leverage against the victim.

Read the Clop Ransomware Threat Report for a deep-dive technical analysis.

Proactive Steps to Take

The BlackBerry Research and Intelligence Team recommends that CISOs in the healthcare industry should consider taking the following measures and actions, as needed:

• Deploy artificial intelligence (AI)-based security and automation to protect endpoints regardless of operating system, support your security team, and reduce burnout. Organizations with fully deployed security AI and automation – take Cylance® AI for one example – realize an average cost savings of $3.05 million, or 65.2%, compared to organizations without. Reducing response time alone benefits your bottom line. Organizations that resolve incidents in less than 200 days realize an average cost savings of $1.12 million, or 26.5%.
  
  
• Free up in-house resources and reduce response time by subscribing to a managed detection and response (MDR) service. The most advanced offerings add extended detection and response (XDR) capabilities to monitor more of your organization’s attack surface. Organizations with XDR reduced response time by 29 days, or 10%, on average, compared to organizations without.

A managed XDR service, CylanceGUARD®  for example, provides 24x7x365, 360-degree monitoring of your operating environment, and regular assessments of your security posture. This bolsters prevention, mitigation, and communication, while freeing up limited in-house resources and reducing the risk of sustaining a damaging cyberattack.

• According to a recent report, organizations with an in-house Incident Response (IR) team that regularly tested their IR plan – by using a red team and or penetration testing service for example – saw an associated average cost savings of $2.66 million, or 58%, compared with organizations without an IR team and that don’t test their IR plan.

If you don’t have an IR team or struggle to field the team size your organization needs, consider signing an IR team retainer. BlackBerry has been recognized by the Germany Federal Office for Information Security (BSI) as a qualified advanced persistent threat (APT) response service provider.

Final Thoughts

Financial, pharmaceutical, technology, energy; the healthcare industry outstrips all others when it comes to the average cost of a data breach reaching $10.10 million in 2022. However, it’s more than just numbers on an accounting sheet. Targeting the healthcare sector speaks to the ruthlessness of these criminals, whose geopolitical agendas and thirst for profits can very well exact a cost in lives as well as livelihoods. The BlackBerry® contextualized threat intelligence (CTI) and 7^th generation cybersecurity AI help your organization proactively prepare and defend against these threats. Let’s get you back to what you do best, helping patients.

Send us an email at cti@blackberry.com for more information about getting your own tailored CTI report.

Related Reading

• Clop Ransomware Threat Report
• DarkBit Ransomware Targets Israel with Command-Line Options and Optimized Encryption Routines
  
• ESXiArgs Ransomware: Knocking Out Unpatched VMware ESXi Linux Servers Worldwide
  
• Conti Ransoms Over 400 Organizations Worldwide