Clop Ransomware Group specifically targets Healthcare Industry in Data Breaches

The IBM 2022 cost of data breach report revealed that the healthcare industry suffered losses of $10.1 million per data breach. Notorious groups like LockBit, KillNet, and Hive have been at the center of these attacks, causing varying degrees of damages and revenue losses due to downtime.

Recently, a new player, “Clop,” has taken the cybersecurity industry by surprise, using a unique process to steal personal health data. Unlike most ransomware as a service group, Clop targets companies in the healthcare industry with a yearly revenue of $5 million to $10 million. Their approach takes advantage of the rapid growth of telehealth, the vulnerability of healthcare systems, and hospitals’ need to protect patients’ data.

This article will explore the activities of the Clop ransomware group, their motivation, data breaches, and how to protect your company from attacks.

What is CLOP Ransomware?

Clop ransomware is a variant of the CryptoMix family that alters predefined browser settings to gain access and encrypt files in an infected computer with an RSA 1024-bit public key. The ransomware completes the encryption with RC4 using 117 bytes of the public key. The ransomware is known to stop Windows processes and turn off security protocols like Windows Defender, making it difficult to identify early.

Who is Behind CLOP, and What’s Their Motivation?

The groups behind Clop ransomware have been traced to Russian origin. However, in 2021, a joint task force raid led to the arrest of six Clop members in Ukraine, but the group is still active. Threat actors like TA505 and FIN11 have recently used ransomware to conduct high-profile hacks. Without a doubt, the primary motivation of the hacker group is monetary gain. This is evident from their double extortion protocols that threaten to expose sensitive healthcare data if they attempt to restore a backup before paying the ransom.

How Does Clop Ransomware Spread?

Typically, Clop ransomware attacks follow regular cyber-attack methods like Phishing emails and Exploit Kits. There have also been cases of third-party tools like PaperCut and GoAnywhere as attack access points. Generally, the attackers send out a malicious email that mimics an original doctor’s note. Once it’s delivered, they book fake medical appointments under the file’s name, hoping to trick the doctor into opening the infected file.

Various assets like medical images and documents attached to such emails can be the malware carrier. Upon accessing the infected documents, the malware stops hundreds of Windows processes to encrypt the files associated with that process.

The Clop ransomware features have inbuilt anti-analysis & anti-virtual machine (VM) capabilities, allowing it to turn off anti-malware applications. Turning off anti-malware tools like Windowswindows Defenderdefender and Microsoft Security Essential is the first step before file encryption begins. This method allows the ransomware to encrypt files without detection, resulting in more significant damages and ransom requests.

Who are the Victims of Ransomware in Clop?

There’s been multiple news of the Clop ransomware playing a vital role in major healthcare data breaches since it became publicly known in 2019. However, they have been at the center of major hacks exploiting Zero-day vulnerability in third-party software since January 2023.

In February 2023, the hacker group went on a rampage, encrypting files from multiple organizations using security flaws in third-party software. Fortra’s GoAnywhere managed file transfer solution, and PaperCut were two compromised access points in these attacks.

For example, Brightline, a children’s virtual mental healthcare start-up, lost about 63,000 patients’ information to the GoAnywhere security breach. The ransomware accessed the system through a pre-authentication command injection vulnerability in the license response servlet. Exploiting the vulnerability, Clop was able to steal data containing clients’ full names, date of birth, physical address, date of health plan coverage, member identification number, and employer names.

In a related attack, NationsBenefits, a Florida-based healthcare management company, lost over seven thousand clients’ data to the Clop healthcare attacks. The ransomware exploited a Zero-day remote code execution vulnerability to access files stored in the GoAnywhere MFT system. Both events are part of a larger hack by the Clop group, with over 100 organizations being victims of these attacks.

Recently, Clop ransomware exploited an unknown vulnerability in the MOVEit file transfer service in an ongoing hack. Although the investigation is ongoing, Nova Scotia Health, the IWK Health Center, and the public service have confirmed that the Clop group stole over 100,000 employee data in the hack.

There’ve been warnings from the Health Sector Cybersecurity Coordination Center and third-party software providers updating their security patches, the healthcare industry isn’t out of the red zone. The threats are evolving, and you should adopt best-practice cybersecurity measures to stay safe.

How Health Care Companies Can Prevent Clop Ransomware Attacks

Tracing popular hacks involving Clop ransomware, we identified a pattern. Most hacks exploit vulnerabilities in third-party file transfer tools used in the healthcare industry. So far, Accession, MOVEit, PaperCut, and GoAnywhere MFT have been victims of these breaches. Although these companies have patched the vulnerabilities, you must always stay vigilant. Here are some steps to prevent Clop data breaches in your organization.

  1. Adopt and deploy AI-based cybersecurity and automation tools to enhance system endpoint protection. This will also help reduce the manual workload on the cybersecurity team, so they can focus on more critical infrastructure monitoring and upgrades.
  2. Subscribe to a managed detection & response service from a professional cybersecurity firm. This service will allow you to free up resources and respond faster to threats.
  3. Implement advanced email & endpoint protection protocols to defend against Clop Phishing emails.
  4. Partner with a cybersecurity firm like Cyberclan to deploy incident response services for regular IR plan testing and updates.

Are you ready to secure sensitive data with robust cybersecurity services from Cyberclan? Schedule a consultation to get personalized service to prevent data breaches in your healthcare Start-up.

Under Attack? Guaranteed 15 minute response time.

Please call our emergency hotline below or fill out the form with your name, email, and phone number.


1 800 762 3290


0800 368 8731


The information you provide in this form is only used exclusively to assist you. We do not share your data.