Fraud Management & Cybercrime , Healthcare , Industry Specific

Authorities Warn Healthcare Sector of Ongoing Clop Threats

Group Has Exploited GoAnyWhere MFT Flaw for Ransomware Attacks
Authorities Warn Healthcare Sector of Ongoing Clop Threats

Federal authorities are urging the healthcare sector to ratchet up defenses against potential assaults by Russian-linked Clop on the heels of the ransomware-as-a-service group's recent alleged mass attacks exploiting a vulnerability in vendor Fortra's secure file transfer software GoAnyWhere MFT.

See Also: Securing Healthcare Against Ransomware Post-COVID-19

In an alert issued Wednesday, the U.S. Department of Health and Human Services' Health Sector Cybersecurity Coordination Center warned that Clop claims to have hit more than 130 organizations, including healthcare industry entities, with attacks involving the GoAnyWhere MFT flaw.

Hackers can exploit the flaw, which is present in the software's administrator console, without having to authenticate or otherwise log into the console. Fortra first issued a security alert on Feb. 1 and released an update that includes a patch (see: Clop Ransomware Claims Widespread GoAnyWhere MFT Exploits).

Clop has been active since February 2019. Unlike other ransomware-as-a-service groups, "Clop unabashedly and almost exclusively targets the healthcare sector," HHS writes. Law enforcement dealt the group a blow when Ukrainian authorities arrested six suspected members. "Continued and successful attacks, however, demonstrate that this prolific group is still a viable threat to the healthcare sector," HHS writes.

The American Hospital Association issued an alert for its members on Thursday based on HHS HC3's warning.

"Healthcare organizations should immediately apply the security patches recommended" and review their use of file transfer systems, said John Riggi, AHA's national adviser for cybersecurity and risk, in the association's alert.

So far, at least one healthcare sector entity has publicly revealed that it was a recent victim of a cybersecurity incident involving the GoAnyWhere secure file transfer software.

Hospital chain Community Health Systems in a Feb. 13 filing to the U.S. Securities and Exchange Commission said it had been recently alerted by Fortra of a compromise.

The multistate chain did not describe in its filing whether the incident - which affected the data of about 1 million patients - involved a ransomware attack by Clop (see: CHS: 1 Million Patients Affected by GoAnyWhere MFT Hack).

Earlier Warnings

HHS' latest Clop alert follows earlier warnings about the group, including one in January about its ongoing threats to healthcare sector entities, and one in March 2021 warning healthcare entities that Clop was exploiting zero-day vulnerabilities affecting the Accellion File Transfer Appliance product.

HHS HC3 has issued several previous alerts about Clop threats.

The AHA in its alert said Clop has also infected files disguised to look like medical documents, submitting them to providers and requesting medical appointments. "The objective is to deceive the recipient into clicking on the malicious document and infecting the organization with highly disruptive ransomware."

In 2022, at least 25 U.S. healthcare organizations operating 290 hospitals were potentially affected by ransomware attacks, according to a report issued last month by security firm Emsisoft.

"Healthcare is particularly vulnerable to cyberattacks, owing to their high propensity to pay a ransom, the value of patient records, and often inadequate security," HHS HC3 writes in its latest alert.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing ransomware.databreachtoday.com, you agree to our use of cookies.