HC3 warns of Clop ransomware targeting medical images

The agency says bad actors are sending infected files disguised to look like medical documents and requesting medical appointments. Telemedicine increases the likelihood that malicious images and information would be reviewed ahead of telehealth visits.
By Andrea Fox
10:34 AM

Photo: Adam Kazmierski/Getty

The Health Sector Cybersecurity Coordination Center said in its latest analysis that the Clop ransomware gang has shifted tactics, directly impacting the healthcare and public health sector. 

New baiting tactics for ransomware gang 

While Clop ransomware has been around since 2019 and experienced several arrests, the ransomware-as-a-service operation has had difficulties getting victims to pay the ransom. 

HC3, which released several ransomware warnings in 2022, including one about the exceptionally aggressive Hive ransomware that seeks to delete healthcare data backups, says that Clop has been infecting files and disguising them to look like medical documents to be reviewed.

They are "submitting them to facilities, and then requesting a medical appointment in hopes of those malicious documents being opened and reviewed beforehand," the agency said in the analysis.

"These attacks have a higher chance of working due to conditions from COVID-19 expansion in the telehealth environment."

The agency also indicates that Clop, or CLOp, targets Windows and sends phishing emails to gain entry. It's also known to have resistance to anti-analysis virtual-machine analysis. 

After files are encrypted, they drop a ransom note saying that the stolen files will be deleted after two weeks.

Targeting telehealth

Medical providers continue to expand telehealth to increase access, improve care and reach more patients – and revenues are high.

Last month KrebsOnSecurity reported about Clop after seeing an intercepted communication in which the group indicated it was successful in infiltrating new victims by disguising ultrasound images and other medical documents.

In the report, Alex Holden, founder of Hold Security, a Milwaukee-based cybersecurity firm, said the group is strategically targeting the types of medical conditions they perceive to be more easily diagnosed via telehealth.

"Basically, they’re counting on doctors or nurses reviewing the patient’s chart and scans just before the appointment," Holden said. 

"They initially discussed going in with cardiovascular issues, but decided cirrhosis or fibrosis of the liver would be more likely to be diagnosable remotely from existing test results and scans."

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.