December 8, 2022

Ransomware groups are constantly devising new methods for infecting victims and convincing them to pay up, but a couple of strategies tested recently seem especially devious. The first centers on targeting healthcare organizations that offer consultations over the Internet and sending them booby-trapped medical records for the “patient.” The other involves carefully editing email inboxes of public company executives to make it appear that some were involved in insider trading.

Alex Holden is founder of Hold Security, a Milwaukee-based cybersecurity firm. Holden’s team gained visibility into discussions among members of two different ransom groups: CLOP (a.k.a. “Cl0p” a.k.a. “TA505“), and a newer ransom group known as Venus.

Last month, the U.S. Department of Health and Human Services (HHS) warned that Venus ransomware attacks were targeting a number of U.S. healthcare organizations. First spotted in mid-August 2022, Venus is known for hacking into victims’ publicly-exposed Remote Desktop services to encrypt Windows devices.

Holden said the internal discussions among the Venus group members indicate this gang has no problem gaining access to victim organizations.

“The Venus group has problems getting paid,” Holden said. “They are targeting a lot of U.S. companies, but nobody wants to pay them.”

Which might explain why their latest scheme centers on trying to frame executives at public companies for insider trading charges. Venus indicated it recently had success with a method that involves carefully editing one or more email inbox files at a victim firm — to insert messages discussing plans to trade large volumes of the company’s stock based on non-public information.

“We imitate correspondence of the [CEO] with a certain insider who shares financial reports of his companies through which your victim allegedly trades in the stock market, which naturally is a criminal offense and — according to US federal laws [includes the possibility of up to] 20 years in prison,” one Venus member wrote to an underling.

“You need to create this file and inject into the machine(s) like this so that metadata would say that they were created on his computer,” they continued. “One of my clients did it, I don’t know how. In addition to pst, you need to decompose several files into different places, so that metadata says the files are native from a certain date and time rather than created yesterday on an unknown machine.”

Holden said it’s not easy to plant emails into an inbox, but it can be done with Microsoft Outlook .pst files, which the attackers may also have access to if they’d already compromised a victim network.

“It’s not going to be forensically solid, but that’s not what they care about,” he said. “It still has the potential to be a huge scandal — at least for a while — when a victim is being threatened with the publication or release of these records.”

The Venus ransom group’s extortion note. Image:

Holden said the CLOP ransomware gang has a different problem of late: Not enough victims. The intercepted CLOP communication seen by KrebsOnSecurity shows the group bragged about twice having success infiltrating new victims in the healthcare industry by sending them infected files disguised as ultrasound images or other medical documents for a patient seeking a remote consultation.

The CLOP members said one tried-and-true method of infecting healthcare providers involved gathering healthcare insurance and payment data to use in submitting requests for a remote consultation on a patient who has cirrhosis of the liver.

“Basically, they’re counting on doctors or nurses reviewing the patient’s chart and scans just before the appointment,” Holden said. “They initially discussed going in with cardiovascular issues, but decided cirrhosis or fibrosis of the liver would be more likely to be diagnosable remotely from existing test results and scans.”

While CLOP as a money making collective is a fairly young organization, security experts say CLOP members hail from a group of Threat Actors (TA) known as “TA505,” which MITRE’s ATT&CK database says is a financially motivated cybercrime group that has been active since at least 2014. “This group is known for frequently changing malware and driving global trends in criminal malware distribution,” MITRE assessed.

In April, 2021, KrebsOnSecurity detailed how CLOP helped pioneer another innovation aimed at pushing more victims into paying an extortion demand: Emailing the ransomware victim’s customers and partners directly and warning that their data would be leaked to the dark web unless they can convince the victim firm to pay up.

Security firm Tripwire points out that the HHS advisory on Venus says multiple threat actor groups are likely distributing the Venus ransomware. Tripwire’s tips for all organizations on avoiding ransomware attacks include:

  • Making secure offsite backups.
  • Running up-to-date security solutions and ensuring that your computers are protected with the latest security patches against vulnerabilities.
  • Using hard-to-crack unique passwords to protect sensitive data and accounts, as well as enabling multi-factor authentication.
  • Encrypting sensitive data wherever possible.
  • Continuously educating and informing staff about the risks and methods used by cybercriminals to launch attacks and steal data.

While the above tips are important and useful, one critical area of ransomware preparedness overlooked by too many organizations is the need to develop — and then periodically rehearse — a plan for how everyone in the organization should respond in the event of a ransomware or data ransom incident. Drilling this breach response plan is key because it helps expose weaknesses in those plans that could be exploited by the intruders.

As noted in last year’s story Don’t Wanna Pay Ransom Gangs? Test Your Backups, experts say the biggest reason ransomware targets and/or their insurance providers still pay when they already have reliable backups of their systems and data is that nobody at the victim organization bothered to test in advance how long this data restoration process might take.

“Suddenly the victim notices they have a couple of petabytes of data to restore over the Internet, and they realize that even with their fast connections it’s going to take three months to download all these backup files,” said Fabian Wosar, chief technology officer at Emsisoft. “A lot of IT teams never actually make even a back-of-the-napkin calculation of how long it would take them to restore from a data rate perspective.”

7 thoughts on “New Ransom Payment Schemes Target Executives, Telemedicine

  1. Gannon (J) Dick

    As every senior knows, Open Enrollment for Medicare ended yesterday. I had lingering “ransomware problem” I took care of the day before yesterday. Towit: “cramming”. You probably last heard the term when you flipped telephone long distance service, if, and a big if you’ve ever heard of it at all. AOL’s virtually un-cancel-able Internet Service was the web twist. The Medicare Variant has two variants: 1) The “cramming” can result in increased premiums, and 2) The “brand reboot”. In their telling, Insurance Companies claim that your Health Care Records are tainted with doubts of competence and previous Lab Tests must be redone. You trusted the Physician initially to tell you what was making you sick not what was not. Only Medicare can cancel a plan unilaterally by “rebooting” i.e. reverting to Medicare A & B. Medicare had no way to give me a receipt for this transaction but said that I could call back Jan. 1. It seems a fair deal and I am sure a better deal than I would get from a ransomware purveyor.

  2. Billy Jack

    Backups are certainly a key part of dealing with these attacks, but there are plenty of small businesses who refuse to understand the value of backups. It also seems rare to find any individual with any kind of backup system at all.

    For my own network, I have multiple levels of borg backups. The servers make copies of their data using borg to local drives on the server. They are also backed up to a separate server. And the updates to the backups are copied to an outside cloud account.

    Also, we have the luxury of not having remote employees connect into our local network with VPN’s. And no third party services connecting in either.

    1. John Smith

      I am an individual home computer user and I make regular backup’s. I am sure there are others; but alas, I’ve yet to meet a single one. No one in my family bothers with backup’s at all – because they claim they don’t have anything “important”. Sigh…

    2. Bernhard

      It’s not the number of copies you make of your backups that will protect you from a ransomware attack.
      Rather it is important that at least one copy survives after an attacker gains full root/admin access to ALL of your servers, including those used to store that backup, and the cloud. That’s what they do before starting to encrypt/destroy your data.

      1. Billy Jack

        Of course.

        In our case, the backups to the cloud are transferred to it manually and are encrypted. Those should help.

        Also, we do backups of our most important data to thumb drives which are replaced on a regular basis and the old thumb drives are stored in labelled bags for later access if necessary.

        The main thing about having local copies of backups is to have faster restores than having to retrieve them from the cloud, first.

Comments are closed.