Authorities Warn Healthcare Sector of Ongoing Clop ThreatsGroup Has Exploited GoAnyWhere MFT Flaw for Ransomware Attacks
Federal authorities are urging the healthcare sector to ratchet up defenses against potential assaults by Russian-linked Clop on the heels of the ransomware-as-a-service group's recent alleged mass attacks exploiting a vulnerability in vendor Fortra's secure file transfer software GoAnyWhere MFT.
In an alert issued Wednesday, the U.S. Department of Health and Human Services' Health Sector Cybersecurity Coordination Center warned that Clop claims to have hit more than 130 organizations, including healthcare industry entities, with attacks involving the GoAnyWhere MFT flaw.
Hackers can exploit the flaw, which is present in the software's administrator console, without having to authenticate or otherwise log into the console. Fortra first issued a security alert on Feb. 1 and released an update that includes a patch (see: Clop Ransomware Claims Widespread GoAnyWhere MFT Exploits).
Clop has been active since February 2019. Unlike other ransomware-as-a-service groups, "Clop unabashedly and almost exclusively targets the healthcare sector," HHS writes. Law enforcement dealt the group a blow when Ukrainian authorities arrested six suspected members. "Continued and successful attacks, however, demonstrate that this prolific group is still a viable threat to the healthcare sector," HHS writes.
The American Hospital Association issued an alert for its members on Thursday based on HHS HC3's warning.
"Healthcare organizations should immediately apply the security patches recommended" and review their use of file transfer systems, said John Riggi, AHA's national adviser for cybersecurity and risk, in the association's alert.
So far, at least one healthcare sector entity has publicly revealed that it was a recent victim of a cybersecurity incident involving the GoAnyWhere secure file transfer software.
Hospital chain Community Health Systems in a Feb. 13 filing to the U.S. Securities and Exchange Commission said it had been recently alerted by Fortra of a compromise.
The multistate chain did not describe in its filing whether the incident - which affected the data of about 1 million patients - involved a ransomware attack by Clop (see: CHS: 1 Million Patients Affected by GoAnyWhere MFT Hack).
HHS' latest Clop alert follows earlier warnings about the group, including one in January about its ongoing threats to healthcare sector entities, and one in March 2021 warning healthcare entities that Clop was exploiting zero-day vulnerabilities affecting the Accellion File Transfer Appliance product.
The AHA in its alert said Clop has also infected files disguised to look like medical documents, submitting them to providers and requesting medical appointments. "The objective is to deceive the recipient into clicking on the malicious document and infecting the organization with highly disruptive ransomware."
In 2022, at least 25 U.S. healthcare organizations operating 290 hospitals were potentially affected by ransomware attacks, according to a report issued last month by security firm Emsisoft.
"Healthcare is particularly vulnerable to cyberattacks, owing to their high propensity to pay a ransom, the value of patient records, and often inadequate security," HHS HC3 writes in its latest alert.