HHS Alerts on Cl0p Ransomware Following GoAnywhere MFT Exploits

Date:

February 23, 2023

World map

Overview

Title

HHS Alerts on Cl0p Ransomware Following GoAnywhere MFT Exploits

Victim

Department of Health and Human Services

Attacker

Cl0p

Location

Washington, D.C., USA

Washington, D.C.,

Size of Attack

Unknown/TBD

First Reported

February 23, 2023

Last Updated

October 31, 2022

The Department of Health and Human Services has issued an alert warning that organizations in the healthcare sector need to pay particular attention to attacks by the ransomware gang known as Cl0p.  

The threat actors behind Cl0p have been particularly focused on the healthcare sector, hence the latest guidance issued by the HHS’s HC3 (Health Sector Cybersecurity Coordination Center) following the recent exploitation of a GoAnywhere MFT vulnerability.

Takeaway: Cl0p displays advanced anti-analysis capabilities and anti-virtual machine analysis to prevent further investigations in an emulated environment – such as sandboxing – and it is interesting to note that the threat actors recently developed a Linux version of the ransomware. While Linux has a small footprint in desktop computing, it runs ~80% of all web servers, the majority of smartphones, all supercomputers, and a good portion of all embedded devices – including those being widely used in healthcare settings.  

While there are comparatively few Linux targets, the targets are potentially extremely lucrative. The "always on" nature of Linux systems provides a strategic beachhead for moving laterally throughout the network. Targeting Linux systems would allow the threat actors to disrupt the most critical parts of a network to demand high ransom amounts, and this is especially true in the healthcare sector.

Ransomware attacks are the biggest threat facing organizations today, and healthcare providers have been hit particularly hard. Attackers have significantly advanced their ability to quietly infiltrate large portions of a target's network in order to demand a higher ransom payout and exfiltrate sensitive data to be used as additional leverage to get the victims to pay. This is a big-money game, and we continue to see healthcare and other critical infrastructure providers be a favorite target given they typically have the least amount of resources to dedicate to securing these sensitive systems.

Organizations of every size need to implement a strong prevention and resilience strategy to defend against ransomware attacks, including:

  • Keeping all software and operating systems up to date and patched
  • Assuring critical data is backed up offsite and protected from corruption in the case of a ransomware attack
  • Assure all endpoints are protected with an EPP solution like next-generation anti-virus (NGAV) software and an anti-ransomware solution
  • Implement network segmentation and Zero Trust policies
  • Implement an employee awareness program to educate against risky behaviors, phishing techniques, etc.
  • Plan and prepare for failure by running regular tabletop exercises and ensuring all stakeholders are ready and available to respond to an attack at all times

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.

The threat actors behind Cl0p have been particularly focused on the healthcare sector, hence the latest guidance issued by the HHS’s HC3...

Oh no!

This attack's description was not found, while we work on the detailed account of this attack we invite you to browse through other recent Rasomware Attacks in the table below.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.

LockBit attacks Leos Jeans
Date
November 15, 2023
Ransomware group
LockBit
Location

Butzbach, Germany

Butzbach, Germany

Industry
Retail Trade
Victim
Leos Jeans
LockBit attacks Leos Jeans
Date
November 15, 2023
Ransomware group
LockBit
Location

Butzbach, Germany

Butzbach, Germany

Industry
Retail Trade
Victim
Leos Jeans
BlackCat/ALPHV attacks 4set
Date
November 14, 2023
Ransomware group
ALPHV
Location

Bizkaia, Spain

Basco, Spain

Industry
Professional, Scientific & Technical Services
Victim
4set
BlackCat/ALPHV attacks 4set
Date
November 14, 2023
Ransomware group
ALPHV
Location

Bizkaia, Spain

Basco, Spain

Industry
Professional, Scientific & Technical Services
Victim
4set
Cuba attacks DiagnosTechs
Date
November 14, 2023
Ransomware group
Cuba
Location

Federal Way, USA

Washington, USA

Industry
Professional, Scientific & Technical Services
Victim
DiagnosTechs
Cuba attacks DiagnosTechs
Date
November 14, 2023
Ransomware group
Cuba
Location

Federal Way, USA

Washington, USA

Industry
Professional, Scientific & Technical Services
Victim
DiagnosTechs
NoEscape attacks Carespring Health Care Management
Date
November 14, 2023
Ransomware group
NoEscape
Location

Cincinnati, USA

Ohio, USA

Industry
Healthcare
Victim
Carespring Health Care Management
NoEscape attacks Carespring Health Care Management
Date
November 14, 2023
Ransomware group
NoEscape
Location

Cincinnati, USA

Ohio, USA

Industry
Healthcare
Victim
Carespring Health Care Management
BlackCat/ALPHV attacks Execuzen
Date
November 14, 2023
Ransomware group
ALPHV
Location

London, United Kingdom

London, United Kingdom

Industry
Professional, Scientific & Technical Services
Victim
Execuzen
BlackCat/ALPHV attacks Execuzen
Date
November 14, 2023
Ransomware group
ALPHV
Location

London, United Kingdom

London, United Kingdom

Industry
Professional, Scientific & Technical Services
Victim
Execuzen
LockBit attacks University of the Aegean
Date
November 13, 2023
Ransomware group
LockBit
Location

Mytilene, Greece

Mytilene, Greece

Industry
Education
Victim
University of the Aegean
LockBit attacks University of the Aegean
Date
November 13, 2023
Ransomware group
LockBit
Location

Mytilene, Greece

Mytilene, Greece

Industry
Education
Victim
University of the Aegean
LockBit attacks Hotel Ampere Paris
Date
November 12, 2023
Ransomware group
LockBit
Location

Paris, France

Paris, France

Industry
Accommodations & Food Services
Victim
Hotel Ampere Paris
LockBit attacks Hotel Ampere Paris
Date
November 12, 2023
Ransomware group
LockBit
Location

Paris, France

Paris, France

Industry
Accommodations & Food Services
Victim
Hotel Ampere Paris
LockBit attacks Carson Team
Date
November 12, 2023
Ransomware group
LockBit
Location

Portland, USA

Oregon, USA

Industry
Other
Victim
Carson Team
LockBit attacks Carson Team
Date
November 12, 2023
Ransomware group
LockBit
Location

Portland, USA

Oregon, USA

Industry
Other
Victim
Carson Team
Cuba attacks Port Adelaide FC
Date
November 12, 2023
Ransomware group
Cuba
Location

Alberton, Australia

South Australia, Australia

Industry
Arts, Entertainment & Recreation
Victim
Port Adelaide FC
Cuba attacks Port Adelaide FC
Date
November 12, 2023
Ransomware group
Cuba
Location

Alberton, Australia

South Australia, Australia

Industry
Arts, Entertainment & Recreation
Victim
Port Adelaide FC
LockBit attacks Floortex
Date
November 11, 2023
Ransomware group
LockBit
Location

Tewkesbury, United Kingdom

Gloucestershire, United Kingdom

Industry
Manufacturing
Victim
FloorTex
LockBit attacks Floortex
Date
November 11, 2023
Ransomware group
LockBit
Location

Tewkesbury, United Kingdom

Gloucestershire, United Kingdom

Industry
Manufacturing
Victim
FloorTex