The Australian government has issued a security alert today urging local health sector organizations to check their cyber-security defenses, and especially their controls for detecting and stopping ransomware attacks.
The Australian Cyber Security Center said it “observed increased targeting activity against the Australian Health sector by actors using the SDBBot Remote Access Tool (RAT).”
While the ACSC has not provided any details about what the “targeting activity” means, the SDBBot RAT has been almost exclusively distributed by a cybercrime group known as TA505.
The group relies on massive email spam campaigns to target companies and infect workstations with malware. The group has been seen dropping various malware strains on infected systems, but since September 2019, TA505 has often deployed the SDBBot payload as a means to access infected hosts remotely.
“SDBBot is comprised of 3 components,” the ACSC explained. “An installer which establishes persistence, a loader which downloads additional components, and the RAT itself.
“Once installed, malicious actors will use SDBBot to move laterally within a network and exfiltrate data.”
ACSC: SDBBot is a known precursor for the Clop ransomware
However, the ACSC says that “SDBBot is [also] a known precursor of the Clop ransomware.” [see reporting from Hornet Security and Secureworks]
The Clop ransomware is one of today’s most aggressive ransomware groups. Clop (also spelled Cl0p) is what security researchers call “big-game hunting ransomware” or “human-operated ransomware.”
It is a type of ransomware deployed in targeted intrusions against high-profile targets. The ransomware is not installed as soon as a threat actor gains access to a network but is held back as the last deployed payload.
The Clop operators will first focus on expanding their initial access to as many systems as possible, steal sensitive documents from the infected company, and only then manually deploy the ransomware when they know they’ve maximized their access into a hacked company.
Clop usually extorts victims for huge payouts in the range of hundreds of thousands of US dollars or even millions, and if victims don’t pay, the ransomware gang will publish stolen data on a dark web “leak site.”
The Australian cyber-security agency’s warning about possible ransomware attacks on the health sector comes after the US government sent similar warnings for the US health sector at the end of October.
But the ACSC says that while the recent SDBBot activity appears to target the health sector, organizations in other sectors should also review their ransomware detection capabilities; to be on the safe side.
The ACSC has recommended that companies review its ransomware guidance, if they need a starting point.