Clop, a ransomware group known for its role in the Accellion data breach, has changed its tactics to infect files disguised as medical documents and images, SCMedia reported Dec. 20.
The group had recently struggled to find victims that would pay its ransom, leading to the change in tactics. Clop is known to target medical facilities with more than $10 million in yearly revenue. However, they have also attacked smaller operations such as dentists' and physicians' offices.
With the expansion of telehealth during the COVID-19 pandemic, the group began to target telehealth services. Clop will steal medical information and images and even use ake appointment requests and medical records to get their malware into a system.
"They're basically registered as the patient themselves," Hold Security founder Alex Holden told SCMedia. "They are taking medical records from the victim and no one is looking. They don't have to fib because it's telehealth, and it's believable."
When a physician refers a telehealth patient out for imaging, for example, Clop can intercept the medical record and health insurance information and send a file disguised as the results back to the physician, who may then open it and infect the practice's system with malware.