Federal regulators are sounding the alarm to be aware of a Russia-linked ransomware group known as Clop.
The Health Sector Cybersecurity Coordination Center (HC3) of the U.S. Department of Health and Human Services (HHS) published a Feb. 22 sector alert warning about Clop. The group reportedly claimed responsibility for a mass attack on more than 130 entities earlier this month.
HC3 mentioned an exchange in which Clop claimed it breached 130 organizations, to online technology news website BleepingComputer.com. Clop allegedly used a “zero-day” security vulnerability in secure file transfer software called GoAnywhere MFT, according to BleepingComputer’s report.
Clop “allegedly stole personal information and protected health information data ove rhte course of 10 days,” according to HC3. “It also stated that it has the ability to encrypt affected healthcare systems by deploying ransomware payloads.”
Clop did not provide proof of the attacks and BleepingComputer could not confirm them independently. The group uses ransomware and “unabashedly and almost exclusively targets the healthcare sector,” according to HC3.
“In 2021 alone, 77% (959) of its attack attempts were on this critical infrastructure industry,” the HC3 sector alert said. “Clop appeared to suffer a major setback in June 2021 when law enforcement arrested six individual in Ukraine linked to the group. Continued and successful attacks, however, demonstrate that this prolific group is still a viable threat to the healthcare sector.”
As for the GoAnywhere MFT vulnerability, it was detected and publicized starting Feb. 2, with an emergency patch for the software released Feb. 7. The U.S. National Institute of Standards and Technology has listed it in the institute’s National Vulnerability Database, and the U.S. Cybersecurity & Infrastructure Security Agency has publicized it.
A health care company was among the victims of the Clop attack, according to a report from the cybersecurity company Malwarebytes.
Community Health Systems (CHS) notified the U.S. Securities and Exchange Commission that Fortra, the maker of GoAnywhere MFT, of a security breach involving personal information and health information of up to 1 million people. The breach did not disrupt daily business or patient care for CHS, which is based in Franklin, Tennessee, and operates in 47 markets across 16 states, with 79 hospitals, about 13,000 beds, and more than 1,000 sites of care.
To protect against future attacks, HC3 recommended health care facility leaders:
- Educate and train staff to reduce the risk of social engineering attacks via email and network access.
- Assess enterprise risk against all potential vulnerabilities and prioritize implementing the security plan with the necessary budget, staff, and tools.
- Develop a cybersecurity roadmap that everyone in the healthcare organization understands.