In Australia the government advises health organizations to control and strengthen their cyber defenses, as well as their controls to prevent ransomware attacks. The Australian Cyber Security Center (ACSC) said that cybercriminals increasingly target the country’s healthcare providers with SDBBot RAT (Remote Access Tool). SDBBot RAT has been distributed almost exclusively by a hacking group known as "TA505".
This hacking team is based on massive spam e-mail campaigns to target companies and infect workstations with various malware. Since September 2019, TA505 has been frequently observed to develop SDBBot payload to gain remote access to infected systems. The SDBBot consists of 3 components - an installer that determines the persistence, a loader that downloads additional components and the RAT itself. Once installed, the hackers use SDBBot to move sideways across a network and steal data.
However, the ACSC states that SDBBot is associated with Clop ransomware. This is one of the most aggressive and dangerous ransomware in the threat landscape today. Clop is what security researchers call "big-game hunting ransomware" or "human-operated ransomware". This type of ransomware develops in attacks against high profile targets. Ransomware is not installed once a threat carrier is acquired access on a network, but is kept as the last payload.
Clop operators in their attacks first focus on extending their initial access to as many systems as possible, stealing sensitive and confidential documents from the victim organization, and developing ransomware when they know they have maximized their access to a compromised organization. .
In addition, Clop operators often require their victims to pay huge amounts of ransom - amounting to hundreds of thousands or even millions of US dollars. In case the victims do not pay the required ransom, the ransomware gang publishes the stolen data on a data leak site.
Australia's cybersecurity agency warns of possible ransomware attacks targeting healthcare providers after the US government issued similar warnings to the US healthcare sector in late October.