Ransomware, Threat Management, Malware

Clop ransomware group targeting provider-patient trust by infecting medical images

The healthcare sector has long been warned they’re not keeping pace with evolving threats, creating an untenable situation resulting in serious impacts. New insights from Hold Security shows Clop ransomware actors are upping the ante, targeting the trusted relationships between providers and patients to deliver their payload.

The risk to healthcare is greater than before. Hold Security Founder Alex Holden warns that “the message is simple: all medical professionals need to get better because the bad guys are stepping up. We need to speed up.”

In May, the Department of Health and Human Services Cybersecurity Coordination Center alerted the sector to the consistency of ransomware attacks on providers over the year, with a rise in access brokers selling access to healthcare networks to other groups and affiliates.

HC3 was concerned that the brokers are further empowering ransomware-as-a-service groups to focus more on the development of payloads. By August, HC3 saw an increase in social engineering risks and vishing attacks to obtain sensitive data or deploy malware.

In the last month alone, HC3 has warned the sector about four separate ransomware groups currently targeting the sector

Clop was not included in those alerts but is notorious for its attacks on healthcare, specifically targeting the sector for a quick payout. The group was behind the Accellion data breach in 2020 and used access to a vulnerability to access the systems of a range of healthcare victims.

But as first reported by KrebsOnSecurity, the group has recently struggled to find enough victims to pay. In an attempt to solve this issue, Clop has taken to infecting files disguised as medical documents and submitting appointment requests to solve the problem. 

Clop ransomware group using unique tactics for greater impact

To get a sense of these new tactics and the possible impacts on providers, SC Media spoke with Hold Security Founder Alex Holden and found the outlook looks relatively bleak. The group is using highly original tactics to better understand workflows within medical systems to hide their attacks for a greater impact.

Clop is known to target medical facilities that meet a revenue of more than $10 million and other facilities with more than $5 million a year. Holden notes that among these targets are groups of dentists, doctors offices, or other smaller providers that operate as part of bigger healthcare systems.

The second component is that they’ve learned the nuances of the healthcare system workflows and how certain processes work for various healthcare issues, particularly around telemedicine and other remote care platforms. Before COVID-19, Holden believes these tactics would not be finding as much success.

But with the rapid expansion of telemedicine and its evolution as a standard of care for many, particularly in rural areas, Clop is finding it easier to exploit these targeted workflows.

On the whole, there are “huge vulnerabilities” in the ways medical records are being stored, from gaps in the in-house security or how “some medical professionals present their profiles on corporate or medical sites.” The trouble with these new tactics is that Clop isn’t “doing anything innovative process-wise.”

“If they understand the process, if they understand all these intricacies of our process, they can insert themselves into the areas where we would expect them less,” or with weakened defenses when a doctor has a primary duty to the patient and “not cybersecurity,” said Holden.

“Doctors don't think about cybersecurity when they are operating,” he continued.

Practitioners might not even think about cybersecurity when looking at patient data, Holden said, so if a doctor receives an email not from a patient, but from different doctors, it’s likely they won’t consider whether something isn’t right about the email.

In short, Clop is preying on trusted relationships to build a backdoor for their nefarious activities. Holden has even seen CD-ROMs and image files infected with malware.

In one example, a cardiovascular issue discussed remotely would require certain tests that might not be possible over the phone. The doctor may refer the individual to another system, which requires medical insurance information. Holden explained that Clop actors are procuring medical records for this particular purpose, rather than just shifting the data into their hands.

“They’re basically registered as the patient themselves,” said Holden. “They are taking medical records from the victim and no one is looking.” The actor will register for a service using the acquired patient data, and the doctor’s office will likely not notice as they have the required information.

“They don't have to fib because it's telehealth, and it's believable. So the insurance may actually get stuck with a small bill,” said Holden. But the bigger issue is the follow-up: banking on urgency, the doctors will likely quickly look at test results before the next appointment and end up with an infected file doctored by the Clop actors instead.

“Doctors don't think about cybersecurity when they are operating" - Holden.

“This is not the first type of abuse that we’ve seen,” said Holden, who finds it interesting that Clop is targeting medical professionals rather than others. Holden Security has also seen similar scams with the restaurant industry and suppliers. “But this hits a bit differently because of the sense of duty.”

This involves “much, much deeper human interaction.” The actors have to “discuss actually showing up for the appointment and make sure that they force a doctor to open the infected files,” he added.

Clop is well funded and extremely well motivated: they can keep attacking. Holden stressed that it’s imperative that the medical industry keeps getting better “because there will be times when bad guys will go to the next step. They will be blackmailing over the life of a person.”

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.