The healthcare and public health (HPH) sector is in the crosshairs of the Clop and MedusaLocker ransomware gangs, according to the Health Sector Cybersecurity Coordination Center (HC3), which has recently issued alerts about both cybercriminal groups.
The latest HPH sector alert on Clop was published a matter of weeks after a previous alert from HC3 about Clop in January 2023. Clop has been active since at least February 2019 and has been one of the most prolific ransomware groups over the past 3 years. The group has gained notoriety following several attacks on high-profile organizations and for the sheer number of attacks. In contrast to several ransomware groups that have operating policies that prohibit attacks on healthcare organizations, Clop actively targets the healthcare industry and, in 2021, conducted 959 attacks on the sector – 77% of all attacks conducted by the group that year.
In June of 2021, a law enforcement operation saw six members of the group arrested in Ukraine; however, despite those arrests, the group has continued to operate and remains a major threat to the healthcare sector, especially healthcare organizations with annual revenues in excess of $5 million. The group is known to use double extortion tactics – Stealing data as well as encrypting files, then demanding a ransom for the decryption keys and to prevent the release of the stolen data on its data leak site.
The reason for the most recent alert about Clop is an attack on 130 organizations, including several in the HPH sector. These attacks exploited a zero-day vulnerability in Fortra’s GoAnywhere managed file transfer (MFT) solution, which is used by organizations for securely transferring large files. The vulnerability – CVE-2023-0669 – is a pre-authentication command injection vulnerability in the License Response Servelet, which can be exploited to achieve remote code execution. Community Health Solutions was one of the healthcare organizations that fell victim to the latest Clop attack.
A patch is now available to fix the flaw, but it was not released until after attacks on approximately 130 organizations. Clop claimed responsibility for the attacks, which involved data theft but no file encryption. The Clop group explained in conversations with Bleeping Computer that data encryption was possible, but the group decided on an extortion-only approach, similar to the attacks that exploited a vulnerability in a similar file transfer solution in late 2020 – Accellion FTA.
HC3 has also issued an alert about MedusaLocker ransomware in the past few days. MedusaLocker attacks are less common, as the group is far less prolific than Clop, but as with Clop, MedusaLocker appears to primarily target the HPH sector and the attacks can cause just as much damage. MedusaLocker was first detected in September 2019, just a few months after Clop appeared, and also operates under the ransomware-as-a-service model, which uses affiliates to conduct attacks in exchange for a percentage of the ransom payments.
MeduaLocker attacks initially started with phishing emails with malicious attachments; however, in 2022, the group started exploiting vulnerabilities in Remote Desktop Protocol (RDP) and this method of attack now appears to be favored by the group. Defending against MedusaLocker ransomware attacks requires defenses against phishing and securing RDP with multiple layers of protection, including access controls, multi-factor authentication, prompt patching of vulnerabilities, strong passwords, and active monitoring of RDP utilization.
Recommended mitigations and details of the tactics, techniques, and procedures used by MedusaLocker are detailed in the latest HC3 MedusaLocker Analyst Note.