Brian Krebs has an interesting write-up about some of the goings-on involving ransomware groups targeting the healthcare sector.
Krebs cites Alex Holden of Hold Security, a Milwaukee-based cybersecurity firm. Holden’s team reportedly gained visibility into discussions among members of two different ransom groups: CLOP (a.k.a. “Cl0p” a.k.a. “TA505“), and a newer ransom group known as Venus. Readers may remember a warning last month from HHS about how Venus ransomware has been used to attack at least one victim, although no victim has ever publicly revealed itself or been named.
[Alex] Holden said the internal discussions among the Venus group members indicate this gang has no problem gaining access to victim organizations.
“The Venus group has problems getting paid,” Holden said. “They are targeting a lot of U.S. companies, but nobody wants to pay them.”
If you won’t pay them to delete patient data, maybe you’ll pay them because they try to frame your executive for something scandalous? It sounds like Venus has taken to trying to create reasons for executives to pay for their silence even when there has been no impropriety.
Krebs also reports some interesting observations about Cl0p, who have gained access to some healthcare entities by sending infected files disguised as ultrasound images or other documents for a patient seeking a remote consultation.
The CLOP members said one tried-and-true method of infecting healthcare providers involved gathering healthcare insurance and payment data to use in submitting requests for a remote consultation on a patient who has cirrhosis of the liver.
Read more at KrebsOnSecurity.com.