Category: Clop Ransomware

Clop Ransomware, a notorious cybercriminal gang based in the United States, has recently changed its tactics to evade law enforcement surveillance. Instead of using traditional websites to sell stolen data, the gang has adopted a new strategy of leaking data related to the victims of the MoveIT cyber-attack through torrents.

This group made headlines after infiltrating the MoveIT software database on May 27th, 2023, compromising sensitive information from nearly 600 organizations worldwide. Subsequently, they demanded a ransom from the victims and then began leaking the victims’ details starting in June 2023. Initially, the leaked data was distributed through Clearweb websites accessible only via the TOR browser. However, the FBI and CIA took action against these sites, forcing Clop to find an alternative approach.

To circumvent law enforcement, Clop decided to use torrents for distributing the stolen information from the MOVEit attack. They began publishing magnetic links to the remaining 20-27 victims, which not only helps them avoid detection but also addresses the issue of slow transfer speeds.

Cybersecurity firm Coverware estimates that Clop could earn an extortion payment of $60-$90 million with this latest move of using Torrent downloads.

Clop has a history of engaging in double extortion attacks, pressuring victims by disclosing breach details to the victimized company’s partners and customers. To exacerbate the situation, the gang often launches DDoS attacks on the victims’ networks, causing significant revenue losses and tarnishing the affected companies’ reputation.

This new tactic showcases the adaptability and sophistication of Clop Ransomware, making them a formidable threat to organizations’ cybersecurity and emphasizing the need for enhanced measures to counter such attacks.

The post CLOP Ransomware avoids takedowns by using torrents appeared first on Cybersecurity Insiders.

The Biden administration in the United States has introduced a rewards program following a cyber attack on multiple government agencies through the use of MoveIT software. The program aims to encourage individuals to provide credible information regarding the activities of those responsible for spreading the Clop Ransomware.

The information sought could include details about the malware operators, their physical location, IP addresses, as well as financial transactions and banking information associated with their activities. Individuals who provide information that aids law enforcement efforts will be eligible to receive a substantial cash reward of $10 million. The Rewards for Justice (RFJ) program, a specialized unit within the U.S. Department of State, will administer the cash prizes, with the goal of mitigating risks to national security in the United States.

The RFJ program was established to gather intelligence on various forms of terrorism that pose a threat to the American population. In the past, it has offered rewards for information on groups such as the Conti Ransomware gang, Russian Sandworm hackers, REvil Ransomware gang, Evil Corp Hacking group, and LockBit.

Recently, the Clop Ransomware group has been actively extorting money from its victims, with attacks commencing on May 27th, 2023, coinciding with Memorial Day. Media outlets have been reporting daily on companies falling victim to these sophisticated attacks.

In the most recent incidents, residents of Oregon and Louisiana have been alerted to the potential loss of their personal identities to cyber criminals. Official reports confirm that individuals in both states have fallen victim to a data breach, where hackers gained unauthorized access to and apparently stole sensitive information such as driver’s licenses, addresses, social security numbers, and vehicle details.

The Clop gang, primarily consisting of Russian-speaking individuals, targeted several high-profile entities, including the Department of Energy, British Airways, BBC, Johns Hopkins University, Shell Oil, the University of Georgia, and numerous other organizations.

It is worth noting that shortly after the government announced the reward program, the Clop gang removed some of the stolen content from its website.

The post Get a $10m reward for information about Clop Ransomware Gang appeared first on Cybersecurity Insiders.

Ransomware groups are constantly devising new methods for infecting victims and convincing them to pay up, but a couple of strategies tested recently seem especially devious. The first centers on targeting healthcare organizations that offer consultations over the Internet and sending them booby-trapped medical records for the “patient.” The other involves carefully editing email inboxes of public company executives to make it appear that some were involved in insider trading.

Alex Holden is founder of Hold Security, a Milwaukee-based cybersecurity firm. Holden’s team gained visibility into discussions among members of two different ransom groups: CLOP (a.k.a. “Cl0p” a.k.a. “TA505“), and a newer ransom group known as Venus.

Last month, the U.S. Department of Health and Human Services (HHS) warned that Venus ransomware attacks were targeting a number of U.S. healthcare organizations. First spotted in mid-August 2022, Venus is known for hacking into victims’ publicly-exposed Remote Desktop services to encrypt Windows devices.

Holden said the internal discussions among the Venus group members indicate this gang has no problem gaining access to victim organizations.

“The Venus group has problems getting paid,” Holden said. “They are targeting a lot of U.S. companies, but nobody wants to pay them.”

Which might explain why their latest scheme centers on trying to frame executives at public companies for insider trading charges. Venus indicated it recently had success with a method that involves carefully editing one or more email inbox files at a victim firm — to insert messages discussing plans to trade large volumes of the company’s stock based on non-public information.

“We imitate correspondence of the [CEO] with a certain insider who shares financial reports of his companies through which your victim allegedly trades in the stock market, which naturally is a criminal offense and — according to US federal laws [includes the possibility of up to] 20 years in prison,” one Venus member wrote to an underling.

“You need to create this file and inject into the machine(s) like this so that metadata would say that they were created on his computer,” they continued. “One of my clients did it, I don’t know how. In addition to pst, you need to decompose several files into different places, so that metadata says the files are native from a certain date and time rather than created yesterday on an unknown machine.”

Holden said it’s not easy to plant emails into an inbox, but it can be done with Microsoft Outlook .pst files, which the attackers may also have access to if they’d already compromised a victim network.

“It’s not going to be forensically solid, but that’s not what they care about,” he said. “It still has the potential to be a huge scandal — at least for a while — when a victim is being threatened with the publication or release of these records.”

The Venus ransom group’s extortion note. Image: Tripwire.com

Holden said the CLOP ransomware gang has a different problem of late: Not enough victims. The intercepted CLOP communication seen by KrebsOnSecurity shows the group bragged about twice having success infiltrating new victims in the healthcare industry by sending them infected files disguised as ultrasound images or other medical documents for a patient seeking a remote consultation.

The CLOP members said one tried-and-true method of infecting healthcare providers involved gathering healthcare insurance and payment data to use in submitting requests for a remote consultation on a patient who has cirrhosis of the liver.

“Basically, they’re counting on doctors or nurses reviewing the patient’s chart and scans just before the appointment,” Holden said. “They initially discussed going in with cardiovascular issues, but decided cirrhosis or fibrosis of the liver would be more likely to be diagnosable remotely from existing test results and scans.”

While CLOP as a money making collective is a fairly young organization, security experts say CLOP members hail from a group of Threat Actors (TA) known as “TA505,” which MITRE’s ATT&CK database says is a financially motivated cybercrime group that has been active since at least 2014. “This group is known for frequently changing malware and driving global trends in criminal malware distribution,” MITRE assessed.

In April, 2021, KrebsOnSecurity detailed how CLOP helped pioneer another innovation aimed at pushing more victims into paying an extortion demand: Emailing the ransomware victim’s customers and partners directly and warning that their data would be leaked to the dark web unless they can convince the victim firm to pay up.

Security firm Tripwire points out that the HHS advisory on Venus says multiple threat actor groups are likely distributing the Venus ransomware. Tripwire’s tips for all organizations on avoiding ransomware attacks include:

  • Making secure offsite backups.
  • Running up-to-date security solutions and ensuring that your computers are protected with the latest security patches against vulnerabilities.
  • Using hard-to-crack unique passwords to protect sensitive data and accounts, as well as enabling multi-factor authentication.
  • Encrypting sensitive data wherever possible.
  • Continuously educating and informing staff about the risks and methods used by cybercriminals to launch attacks and steal data.

While the above tips are important and useful, one critical area of ransomware preparedness overlooked by too many organizations is the need to develop — and then periodically rehearse — a plan for how everyone in the organization should respond in the event of a ransomware or data ransom incident. Drilling this breach response plan is key because it helps expose weaknesses in those plans that could be exploited by the intruders.

As noted in last year’s story Don’t Wanna Pay Ransom Gangs? Test Your Backups, experts say the biggest reason ransomware targets and/or their insurance providers still pay when they already have reliable backups of their systems and data is that nobody at the victim organization bothered to test in advance how long this data restoration process might take.

“Suddenly the victim notices they have a couple of petabytes of data to restore over the Internet, and they realize that even with their fast connections it’s going to take three months to download all these backup files,” said Fabian Wosar, chief technology officer at Emsisoft. “A lot of IT teams never actually make even a back-of-the-napkin calculation of how long it would take them to restore from a data rate perspective.”

A ransomware named Play hit an entire judiciary system, therefore forcing the officials to shut down the IT systems since August 13th 2022. Argentina Judiciary of Cordoba is a government-based service that was hit by the malware last week, forcing the officials to use pen and paper for submitting official documents and to purview other administrative tasks.

Cadena 3, a news resource from Argentina, confirmed the attack on the Judiciary system and stated that a cyberattack contingency plan was activated to recover the IT systems and online portal from the pangs of the digital attack.

Microsoft, Cisco, Trend Micro and a third-party firm were hired to investigate the attack, confirm sources.

How the ransomware entered the IT infrastructure of the Court of Cordoba is apparently being investigated, as unconfirmed sources suspect the hand of an insider. As all the encrypted files are ending with (.) play extension, Argentinian Cadena 3 concluded that the attack could have been targeted by Play Ransomware group that was first discovered in June 2022.

The other news that is related to ransomware and trending on Google is about a water utility that supplies drinking water to customers.

South Staffordshire water utility claims that cyber criminals belonging to a noted extortion gang tried their best to compromise the water being supplied to Cambridge Water and South Staffs water customers. However, the cyber criminals failed to take over the control of the supply systems, as the water utility was having robust cyber security measures in place to tackle and neutralize such incidents.

CLOP Ransomware gang is suspected to be behind the attack, as they have posted some stolen documents on the dark web, alleging to have siphoned from the servers of South Staffordshire.

More details are awaited!

 

The post Play Ransomware attack news and Extortion Attempt on Water utility appeared first on Cybersecurity Insiders.

CLOP Ransomware gang has targeted over 21 organizations from March to April this year and the numbers might increase as the time progresses. According to a survey conducted by NCC Group, CLOP returned in February this year from a hiatus of almost 16 months and is now only after industrial sector.

CLOP is seen infecting mostly firms operating in the industrial sector and that too mainly those partnering with US Companies.

In June last year, CLOP gang members announced that there were shutting down their business as earnings from cyber attacks were decreasing on a drastic note. All thanks to the law enforcement groups like CISA, FBI, NCSC and Europol. As the noose around those laundering cryptocurrency was being tightened by law enforcement agencies such as INTERPOL, it was getting difficult for the hackers to gain money from targets.

Recently, after the start of war between Russia and Ukraine, six gang members belonging to CLOP were arrested by Ukrainian authorities after making through searchers for them in various regions of Kyiv.

Intel 471 states that CLOP claimed approximately 7 victims in 2019, that includes Software Giant AG IT, ExecuPharm, Indiabulls, Maastricht University and Accellion software.

Britain has also tightened its noose around the necks of gangs spreading file encrypting malware and is using many techniques to block their earnings from various means.

Eventually, such steps have worked in the favor of the Biden led government as many ransomware spreading gangs such as CONTI have announced that there are leaving the business because of a significant drop in earnings.

CLOP went into a hiatus till January this year and might have probably regained strength after the start of Putin’s war with Zelensky led nation, as it seems like it resumed its notorious operations from March 2022.

 

The post CLOP Ransomware targets 21 victims in a single month appeared first on Cybersecurity Insiders.