Flashpoint, a cyber threat intelligence provider, has put together a list of 10 “takeaways” from the recent Cl0p attacks to help organizations handle fallout from the hacking syndicate's attacks.
What is Cl0p?
Cl0p, a Russian-linked hacker, is known for its large ransom demands, at times starting at $3 million for an opening negotiating point. Its attacks are thought to have affected some 16 million people in more than 200 outfits by expoiting a vulnerability in the MOVEit large file transfer application.
Cl0p has encrypted data belonging to hundreds of universities, financial organizations and multinational corporations. Many of the disrupted organizations have apparently not applied available patches, leaving the door open for the Cl0p operatives. The crew has previously insisted it doesn't deliberately steal data from government organizations,
Last month, the U.S. State Department placed a $10 million bounty on Cl0p’s leader, seeking information tying the group to a foreign government.
Flashpoint wrote:
“It’s now been more than a month since the Clop ransomware group — a notable adversary in the cyber threat landscape characterized by their technical proficiency, aggressive tactics, and adept use of publicity for intimidation — claimed credit for the compromises related to the MOVEit vulnerabilities. The group’s simultaneous extortion of hundreds of victims thrust them into uncharted territory, and the impact of their attacks, many of which have been confirmed, suggests that no sector is immune to this vulnerability.”
Flashpoint's Cl0p Takeaways
Here are the takeaways: (some items have been lightly edited for brevity)
- Do not trust what ransomware groups say. They are untrustworthy and can twist facts to their advantage, even falsely claiming victims or confusing the name of their target with a company of a similar name.
- Ransomware groups do not care about due diligence, as seen in their inaccurate or misleading victim claims. Ransomware groups often use third-party data providers to source victim information, meaning that the information they post on their extortion sites may not correspond with actual corporate data.
- Ransomware groups thrive on media attention and generating news headlines. While some high-profile victims have garnered substantial attention, the usual focused pressure that ransomware groups apply to individual companies is not as effective in this instance. Numerous companies have been listed on the extortion site, yet the overall impact appears diluted due to the considerable number of victims affected by this campaign.
- Expect further targeting of data-sharing technologies that are widely used in an attempt to replicate Cl0p’s results. Cl0p has previously exploited vulnerabilities in data and file sharing software, as demonstrated through Accellion File Transfer Appliance (FTA), SolarWinds ServU-FTP and Managed File Transfer, Fortra/ Linoma GoAnywhere Managed File TransferPapercut Multifunction / Next Generation.
- Third-party breach monitoring is an essential. Understanding your company’s exposure to third-party risk is an essential component in a ransomware or cyber extortion response plan.
- Ransomware groups like Cl0p typically do not invest substantial effort into maintaining the uptime or accessibility of their extortion sites. As a result, there are often difficulties accessing the data to begin with. This situation may actually serve the ransomware groups' interests, as the challenge in accessing information maintains ongoing attention and anxiety around their sites.
- Although the Clop attack stands out due to its wide reach and exploitation of a zero day vulnerability, it's essential to note that these types of incidents still represent a minimal proportion of the overall extortion/ransomware attacks we encounter. A significant majority of ransomware and cyber extortion attacks are still initiated through more commonplace vectors.
- Cl0p is a technically-sophisticated adversary as evidenced by their identification and mass exploitation of the MOVEit vulnerability. Yet it remains unknown if they exploited this vulnerability themselves or purchased the zero-day via the underground economy. While they have demonstrated an aptitude for evolving their methods to meet their ambitious objectives, the scale of their current operation poses remarkable challenges, even for a group of their caliber.
- Monitoring open-source breach disclosures are just as important as the leak sites of ransomware groups, as other victims often disclose their experiences, contributing to our understanding of the threat landscape. Additionally, this may help in understanding the total number of victims of a ransomware campaign, and the response of those organizations with operational ties to third parties that were claimed to have been breached.
- Never engage with these cyber criminals absent a robust, comprehensive strategy. A thoroughly formulated plan, coupled with organization-wide commitment, serves as the most effective means to achieving your organization’s desired end state.
