Ransomware groups are constantly devising new methods for infecting victims and convincing them to pay up, but a couple of strategies tested recently seem especially devious. The first centers on targeting healthcare organizations that offer consultations over the Internet and sending them booby-trapped medical records for the “patient.” The other involves carefully editing email inboxes of public company executives to make it appear that some were involved in insider trading.
Alex Holden is founder of Hold Security, a Milwaukee-based cybersecurity firm. Holden’s team gained visibility into discussions among members of two different ransom groups: CLOP (a.k.a. “Cl0p” a.k.a. “TA505“), and a newer ransom group known as Venus.
Last month, the U.S. Department of Health and Human Services (HHS) warned that Venus ransomware attacks were targeting a number of U.S. healthcare organizations. First spotted in mid-August 2022, Venus is known for hacking into victims’ publicly-exposed Remote Desktop services to encrypt Windows devices.
Holden said the internal discussions among the Venus group members indicate this gang has no problem gaining access to victim organizations.
“The Venus group has problems getting paid,” Holden said. “They are targeting a lot of U.S. companies, but nobody wants to pay them.”
Which might explain why their latest scheme centers on trying to frame executives at public companies for insider trading charges. Venus indicated it recently had success with a method that involves carefully editing one or more email inbox files at a victim firm — to insert messages discussing plans to trade large volumes of the company’s stock based on non-public information.
“We imitate correspondence of the [CEO] with a certain insider who shares financial reports of his companies through which your victim allegedly trades in the stock market, which naturally is a criminal offense and — according to US federal laws [includes the possibility of up to] 20 years in prison,” one Venus member wrote to an underling.
“You need to create this file and inject into the machine(s) like this so that metadata would say that they were created on his computer,” they continued. “One of my clients did it, I don’t know how. In addition to pst, you need to decompose several files into different places, so that metadata says the files are native from a certain date and time rather than created yesterday on an unknown machine.”
Holden said it’s not easy to plant emails into an inbox, but it can be done with Microsoft Outlook .pst files, which the attackers may also have access to if they’d already compromised a victim network.
“It’s not going to be forensically solid, but that’s not what they care about,” he said. “It still has the potential to be a huge scandal — at least for a while — when a victim is being threatened with the publication or release of these records.”
Holden said the CLOP ransomware gang has a different problem of late: Not enough victims. The intercepted CLOP communication seen by KrebsOnSecurity shows the group bragged about twice having success infiltrating new victims in the healthcare industry by sending them infected files disguised as ultrasound images or other medical documents for a patient seeking a remote consultation.
The CLOP members said one tried-and-true method of infecting healthcare providers involved gathering healthcare insurance and payment data to use in submitting requests for a remote consultation on a patient who has cirrhosis of the liver.
“Basically, they’re counting on doctors or nurses reviewing the patient’s chart and scans just before the appointment,” Holden said. “They initially discussed going in with cardiovascular issues, but decided cirrhosis or fibrosis of the liver would be more likely to be diagnosable remotely from existing test results and scans.”
While CLOP as a money making collective is a fairly young organization, security experts say CLOP members hail from a group of Threat Actors (TA) known as “TA505,” which MITRE’s ATT&CK database says is a financially motivated cybercrime group that has been active since at least 2014. “This group is known for frequently changing malware and driving global trends in criminal malware distribution,” MITRE assessed.
In April, 2021, KrebsOnSecurity detailed how CLOP helped pioneer another innovation aimed at pushing more victims into paying an extortion demand: Emailing the ransomware victim’s customers and partners directly and warning that their data would be leaked to the dark web unless they can convince the victim firm to pay up.
Security firm Tripwire points out that the HHS advisory on Venus says multiple threat actor groups are likely distributing the Venus ransomware. Tripwire’s tips for all organizations on avoiding ransomware attacks include:
While the above tips are important and useful, one critical area of ransomware preparedness overlooked by too many organizations is the need to develop — and then periodically rehearse — a plan for how everyone in the organization should respond in the event of a ransomware or data ransom incident. Drilling this breach response plan is key because it helps expose weaknesses in those plans that could be exploited by the intruders.
As noted in last year’s story Don’t Wanna Pay Ransom Gangs? Test Your Backups, experts say the biggest reason ransomware targets and/or their insurance providers still pay when they already have reliable backups of their systems and data is that nobody at the victim organization bothered to test in advance how long this data restoration process might take.
“Suddenly the victim notices they have a couple of petabytes of data to restore over the Internet, and they realize that even with their fast connections it’s going to take three months to download all these backup files,” said Fabian Wosar, chief technology officer at Emsisoft. “A lot of IT teams never actually make even a back-of-the-napkin calculation of how long it would take them to restore from a data rate perspective.”