HHS Warns of New Ransomware Group Attacks on Healthcare Facilities

The Clop group was active throughout 2022.

By HFT Staff


The U.S. Department of Health and Human Services (HHS) recently sent out an alert to all hospitals and other healthcare facilities about The Clop ransomware group. The group has reportedly been sending healthcare facilities ransomware-infected medical files disguised as coming from legitimate doctors, then requesting a medical appointment in hopes recipients will open and review the documents.  

The Clop was first observed in 2019 and have seen payouts of up to $500 million. The group uses a double extortion model that targets Windows systems, allowing the threat actor to encrypt and exfiltrate sensitive information. Sensitive data will be released on their dark web leak site if payment is not made. The malware was active throughout 2022 despite six of its operators getting arrested in 2021.  

These are not the only cyber criminals still targeting hospitals and other healthcare facilities. HHS recently alerted facilities regarding the Royal group, which emerged in September 2022 and appears to not have affiliates. Royal appears to be financially motivated and has exfiltrated sensitive data, leaving healthcare facilities to be seen as vulnerable. The group uses Cobalt Strike tactics to harvest credentials from healthcare networks, according to the notice. 

Not all ransomware groups have their sights set on healthcare organizations, though. HHS warned of LockBit in early 2022, despite the group claiming it does not attack healthcare organizations. But the group was linked to the recent hacking of SickKids, a major pediatric hospital in Toronto. The group apologized on behalf of the affiliate who partially disabled SickKids’ website, phone lines and corporate function lines, saying it violated the group’s rules of engagement, Techardar reported.  

"We formally apologize for the attack on si[c]kkids.ca and give back the decryptor for free. The partner who attacked this hospital violated our rules, is blocked and is no longer in our affiliate program," the group said in a screenshot posted on Twitter. 

HHS suggests healthcare facilities take these steps to reduce attack surface areas to the greatest extent possible:  

  • Use the included indicators of compromise in threat hunting and detection programs.  
  • Use multi-factor authentication and strong passwords.  
  • Establish a robust data backup program.  
  • Consider signing up for CISA’s cyber hygiene services. 


January 12, 2023


Topic Area: Information Technology , Security


Recent Posts

UMC Health System Grapples with IT Outage from Ransomware Attack

The organization’s facilities remained operational despite the IT outage.


Boston Medical Center Welcomes Two New Facilities into Health System

Good Samaritan Medical Center and St. Elizabeth’s Medical Center are officially part of the health system.


Inspira Health Breaks Ground on Mullica Hill Expansion

The new 150,000-square-foot, five-story wing is expected to be open in the first quarter of 2027.


Cleanology: The Need for a Study of Cleaning

There are no accepted risk-based standards to verify whether a hospital is truly clean and safe.


Hurricane Helene Forces Unicoi County Hospital to Evacuate

A helicopter was called in alongside the Tennessee National Guard to help complete the evacuation.


 
 


FREE Newsletter Signup Form

News & Updates | Webcast Alerts
Building Technologies | & More!

 
 
 


All fields are required. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

 
 
 
 

Healthcare Facilities Today membership includes free email newsletters from our facility-industry brands.

Facebook   Twitter   LinkedIn   Posts

Copyright © 2023 TradePress. All rights reserved.