Hijacking Data Highways - CL0P Ransomware's Attacks on Secure File Transfer Tools

Published on 31 Aug 2023

OVERVIEW

This article examines the activities, capabilities and tactics of the notorious Cl0p ransomware gang, a cybercriminal group that has claimed responsibility for a series of cyber-attacks involving secure file transfer tools since end-2020. By exploiting zero-day vulnerabilities in these file transfer tools, Cl0p has stolen data belonging to hundreds of organisations around the world, often surprising cybersecurity researchers with the scale and novelty of their attacks.

HISTORY & TACTICS OF CL0P RANSOMWARE

Cl0p ransomware first emerged in February 2019, operating under the Ransomware-as-a-service (RaaS) model. According to cybersecurity researchers, Cl0p’s operators appear to be Russian-speaking, but not linked to the Russian state.

Cl0p gained infamy following several high-profile attacks on large organisations, including a Dutch university in 2019, and a US-based pharmaceutical giant in 2020. Over time, the number of victims publicly listed on Cl0p’s dedicated leak site has grown, and the gang’s extortion tactics have also become more sophisticated and effective.

In June 2021, a global coalition involving law enforcement and private partners across five continents led to the arrests of six suspected Cl0p members in June 2021. Following the arrests, researchers have observed a general slowdown – though not a complete halt – of the group’s activities.

A highly versatile group, Cl0p has been observed making frequent changes to their malware and extortion methods over the years. For example, while the group was initially known for its use of the ‘double extortion’ tactic of both encrypting and stealing victim data, its recent high-profile campaigns have predominantly adopted a more efficient “smash-and-grab”, data exfiltration-only tactic, which involves extorting victims by threatening to publish stolen data, without necessarily encrypting their files. This reduces the complexity of and the time taken for the attack, potentially enabling them to target more victims quickly before the exploited vulnerability is patched.

SUPPLY-CHAIN ATTACKS: CL0P’S SPECIALITY?

In December 2020, Cl0p claimed that they had managed to gain access to and exfiltrate user data from the Accellion File Transfer Application (FTA), by exploiting zero-day vulnerabilities in the legacy file transfer platform. More than 100 organisations around the world, including local telecommunications firm Singtel, were reportedly affected by the breach. Following the attack, Cl0p threatened victims with publishing the stolen data online, unless a hefty ransom was paid. Cl0p allegedly managed to extort large ransom payments from victims. According to cyber extortion incident response firm Coveware, Cl0p managed to successfully obtain “tens of millions of dollars” from dozens of their victims. Coveware reported that the Accellion FTA attack could have led to a 43% rise in average ransom payments during the first quarter of 2021.

2023 saw another two separate high-profile attacks by Cl0p on secure file transfer systems. In February, Cl0p announced that they had exfiltrated user data from organisations using Fortra’s GoAnywhere Managed File Transfer (MFT) system. The group had allegedly exploited a zero-day vulnerability against some implementations of the GoAnywhere MFT service to create unauthorised user accounts, before using these unauthorised accounts to download files from hosted customer environments. Around 130 organisations were reportedly affected by the attack, including cybersecurity company Rubrik, US healthcare giant Community Health Systems, the City of Toronto, and Hitachi Energy.

Most recently, in June, Cl0p claimed responsibility for a breach of Progress Software’s MOVEit secure file transfer system. The breach was especially devastating as MOVEit is an approved and accredited secure file transfer service which meets various regulatory compliance requirements for government agencies and regulated industries, and is therefore commonly used by organisations to transfer sensitive data. According to Emisoft, as of 23 August 2023, at least 975 organisations were affected by the breach, including energy giant Shell, British broadcaster BBC, and the US Department of Energy. Emisoft further estimates that at least 58 million individuals could have had their data exposed by the attack, placing the potential cost of the breach at US$9.7 billion^[1].

Figure 1: An extract of the published ransomware note from Cl0p. The group claimed responsibility for the MOVEit breach and threatened victims that their data would be published unless they came forward to negotiate ransom payments.

KEY TAKEAWAYS

While Cl0p stands out in both the scale and sophistication of recent attacks, they are not the only ransomware group of concern. Globally, cybercriminal gangs continue to evolve and optimise their tactics, with the aim of securing more and bigger payouts from victims. More significantly, Cl0p’s utilisation of zero-day exploits and supply-chain attacks demonstrate the guile and sophistication of large cybercriminal organisations. It is also clear evidence that such attacks are no longer restricted to the exclusive arsenals of well-resourced state-sponsored hacking groups.

In recognition of the pervasive and multi-disciplinary nature of the ransomware challenge, the Singapore Government convened an inter-agency Counter-Ransomware Task Force (CRTF) in 2022 to develop recommendations that will serve as a blueprint for Singapore to counter ransomware effectively. The CRTF brought together government agencies across relevant domains, capabilities and operational plans to strengthen Singapore’s counter-ransomware efforts and put Singapore in a better position to push for international action against the global ransomware threat.

Prevention is key to avoid falling victim to ransomware. Companies and individuals are encouraged to do their part by securing their systems and backing up critical data regularly. For more information on how to protect your systems and data from ransomware attacks, please refer to SingCERT’s advisory.

^[1] According to IBM, data breaches cost an average of US$165 per record.

REFERENCES: BleepingComputer, Coveware, Cybersecurity Dive, Emisoft, SecurityWeek, TechCrunch, The Record from Recorded Future News, Trendmicro, US Cybersecurity and Infrastructure Security Agency (CISA)