Ransomware developers are constantly coming up with new ways to infect victims and persuade them to pay up, but a couple of recent strategies appear especially cunning. The first involves targeting healthcare organizations that provide online consultations and sending them booby-trapped medical records for the "patient," while the second involves carefully editing email inboxes of public company executives to make it appear that some were involved in insider trading.
Last month, the United States
The Department of Health and Human Services (HHS) issued a warning that Venus ransomware attacks were targeting a number of healthcare organizations in the United States. Venus, which was discovered in mid-August 2022, is known for hacking into victims' publicly exposed Remote Desktop services in order to encrypt Windows devices.
According to Holden, internal Venus group discussions show that this group has no trouble gaining access to victim organizations.
“The Venus group has problems getting paid,” Holden said. “They are targeting a lot of U.S. companies, but nobody wants to pay them.”
That could explain why their latest scheme focuses on framing executives at public companies for insider trading charges. Venus recently reported success with a method that entails carefully editing one or more email inbox files at a victim firm — to insert messages discussing plans to trade large volumes of the company's stock based on non-public information.
“We imitate correspondence of the [CEO] with a certain insider who shares financial reports of his companies through which your victim allegedly trades in the stock market, which naturally is a criminal offense and — according to US federal laws [includes the possibility of up to] 20 years in prison,” one Venus member wrote to an underling.
“You need to create this file and inject into the machine(s) like this so that metadata would say that they were created on his computer,” they continued. “One of my clients did it, I don’t know how. In addition to pst, you need to decompose several files into different places, so that metadata says the files are native from a certain date and time rather than created yesterday on an unknown machine.”
Planting emails into an inbox is difficult, according to Holden, but it is possible with Microsoft Outlook.pst files, which the attackers may also have access to if they have already compromised a victim network.
“It’s not going to be forensically solid, but that’s not what they care about,” he said. “It still has the potential to be a huge scandal — at least for a while — when a victim is being threatened with the publication or release of these records.”
According to Holden, the CLOP ransomware gang is currently experiencing a different issue: a lack of victims. According to the intercepted CLOP communication obtained by KrebsOnSecurity, the group boasted twice about successfully infiltrating new victims in the healthcare industry by sending infected files disguised as ultrasound images or other medical documents for a patient seeking a remote consultation.
CLOP members reported that one tried-and-true method of infecting healthcare providers involved accumulating healthcare insurance and payment data to use in submitting requests for a remote consultation on a patient with liver cirrhosis.
“Basically, they’re counting on doctors or nurses reviewing the patient’s chart and scans just before the appointment,” Holden said. “They initially discussed going in with cardiovascular issues, but decided cirrhosis or fibrosis of the liver would be more likely to be diagnosable remotely from existing test results and scans.”
While CLOP as a money-making collective is a relatively new organization, security experts say CLOP members come from a Threat Actor (TA) group known as "TA505", which MITRE's ATT&CK database describes as a financially motivated cybercrime group active since at least 2014. According to MITRE, "this group is known for frequently changing malware and driving global trends in criminal malware distribution."
In April 2021, KrebsOnSecurity detailed how CLOP helped pioneer another innovation aimed at convincing more victims to pay an extortion demand: directly emailing the ransomware victim's customers and partners and alerting that their data would be leaked to the dark web unless the victim firm paid up.
According to Tripwire, the HHS advisory on Venus states that multiple threat actor groups are likely distributing the Venus ransomware. Tripwire's advice for all organizations on avoiding ransomware attacks includes the following:
- Making secure offsite backups.
- Running up-to-date security solutions and ensuring that your computers are protected with the latest security patches against vulnerabilities.
- Using hard-to-crack unique passwords to protect sensitive data and accounts, as well as enabling multi-factor authentication.
- Encrypting sensitive data wherever possible.
- Continuously educating and informing staff about the risks and methods used by cybercriminals to launch attacks and steal data.