The MOVEit cyber-attack continues to grow, with more organizations falling victim every day. Brett Callow, a threat analyst at Emsisoft, counted 257 organizations and 17,750,524 individuals impacted by the attack on July 11, 2023.
Meanwhile, the Clop ransomware group, which is reportedly responsible for the attack, keeps adding names to the list of victims on its leak site, with newer ones including big financial companies (Deutsche Bank, ING Bank and Post Bank) and 25 US schools.
Listen to Infosecurity’s latest podcast episode to learn everything you need to know about the MOVEit supply chain attack
David Wallace, a senior threat intelligence analyst at Sophos, took a deep dive into Clop’s background and activity as well as its tactics, techniques and procedures (TTPs) in an article published on July 10.
Clop, Ransomware and Threat Actor
Clop, also spelled Cl0p, translates as ‘bedbug’ in Russian – “an adaptable, persistent pest,” Wallace insisted in his post. It is originally the name of a new variant of the CryptoMix ransomware family first identified in 2019 and tracked by MITRE as s S0611.
The threat group behind Clop is a financially-motivated organization believed to currently operate from Russian-speaking countries, “though it was known to operate in both Russia and Ukraine prior to 2022,” Wallace said.
The Clop ransomware gang has ties with various threat groups, including TA505 and FIN11. Wallace noted that a recent advisory from the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) stated that Clop and TA505 refer to the same group, but others suggest the three simply overlap or that FIN11 is a subset of TA505.
Clop has recently collaborated with other groups like DarkSide and FIN7, using its ransomware as a service (RaaS) toolkit for point-of-sale attacks or plain old-fashioned exploitation.
Clop Prefers High-Profile Victims
Clop’s preferred targets are larger companies (over $5m annual revenue) located in North and Latin America, Europe and Asia-Pacific – although some of its recent supply chain attacks have impacted smaller organizations in other markets, too. The group typically attacks its victims during holidays.
When first observed, the group relied mainly on phishing attempts, brute forcing and exploiting known vulnerabilities.
They were among the first threat groups to use a ‘double extortion’ strategy, in which an adversary threatens to publish critical data on a leak site – the ‘CL0P^_- LEAKS’ site, which is accessible via Tor hidden service – if the victim refuses to pay. This was initially used as an additional way of exerting pressure on the victims, along with decrypting the data previously encrypted, but Clop and other threat actors seem to have recently been moving away from decrypting data altogether.
According to Wallace, the group is also known for its innovative techniques: “It was, for instance, among the first to use the tactic of emailing customers and partners of a compromised site to demand that they, too, pressure the compromised target to pay – and aggressive, preferential targeting of large organizations. It’s part of infosec history as the source of the first known ransomware demand of over $20m, against Software AG in October 2020.”
Clop’s involvement in the exploitation of a critical zero-day vulnerability (CVE-2023-34362) in Progress Software’s MOVEit Transfer is the third such effort ascribed to Clop during the first half of 2023, after the GoAnywhere incident in February and the PaperCut incident in April.
“Some of those efforts appear opportunistic, either resulting from a sale of the group’s own ransomware tooling or from collaboration with other groups. Others, such as MOVEit itself, appear to be the culmination of a long-term tech effort and refinement process by the group. […] Of note is the group’s consistent and aggressive recent targeting of file-transfer services, which tend to handle data from a variety of systems and thus could be considered a vulnerable point in many supply chains.” reads Wallace’s blog post.
Clop is regularly connected to high-profile attacks such as the 2021 Accellion File Transfer Appliance (FTA) as well as GoAnywhere and the multi-vulnerability MOVEit, which impacted large companies like the BBC, British Airways, Sony, Siemens Energy, EY, PwC, along with the ones previously mentioned.
In the case of the MOVEit attack, Clop wants to directly engage with its victims to negotiate the ransom, although “as recently as July 3, Sophos is not aware of any victims actually paying the ransom,” Wallace added.
Many government agencies worldwide were also impacted by the MOVEit attack. However, in mid-June, Clop issued a statement telling entities affected by the attack, "If you are a government, city or police service do not worry, we erased all your data. You do not need to contact us. We have no interest to expose such information.”
The US government offers a bounty of up to $10m for information on the threat group.
No tags.
