Corvus Insights Blog | Smart Cyber Insurance

CL0P Ransomware Gang: Here’s What You Need to Know

Written by Corvus Threat Intel & Risk Advisory | 08.31.23

For the fifth month in a row, more than 300 global victims were posted to ransomware leak sites. In July, ransomware gang, CL0P, was responsible for 35% of total posted victims due to the long-legs of the MOVEit zero-day exploit.

While headlines have slowed (finally), the past two months have been cluttered with word of new and notable victims. So, even as the world moves on, hundreds of businesses — and millions of individuals — are grappling with the consequences of CL0P’s record-breaking exploit, and Progress Software, the company behind MOVEit, faces at least 13 lawsuits in response to “poor security.” 

Now that the dust has settled on CL0P’s second big zero-day exploit this year, let’s take a moment to reflect on what happened, why it happened, and how to mitigate fallout from similar zero-days in the future. 

CL0P's Type: File Transfer Software 

The notorious ransomware gang, CL0P (also known as TA505 and FIN11), isn’t new to the scene. While they’ve been active since 2019, their proclivity for driving the news cycle is a more recent development. CL0P’s attacks have always been recognizably sophisticated, but the pivot to exploiting zero-day vulnerabilities within file transfer software has escalated their notoriety to dark-web celebrity status. 

Before their transition to mass exploits, CL0P employed double extortion tactics (encrypting data and publishing stolen information to their leaksite). Other signs of a CL0P ransomware attack? Digital signatures designed to evade endpoint detection response, multiple computers infected at once, and special programming that aborted attacks once a Russian language character set was detected. 

So, if they were relatively successful before, why the pivot in execution?

The money doesn’t hurt. It’s estimated they will collect over $75 million from the MOVEit campaign alone. Reports of these massive payouts suggest that even if less victims are willing to pay, CL0P can compensate by charging willing victims significantly higher ransoms. Plus, they’ve been working on diversifying their revenue streams for a long time. Kroll’s forensic review discovered activity that suggests CL0P threat actors have been experimenting with ways to exploit the MOVEit vulnerability as early as 2021. 

But after two successful attacks on file transfer software in the last year, CL0P may have attracted some unwanted attention. 

The Cybersecurity and Infrastructure Security Agency (CISA) partnered with the FBI to issue a $10 million reward to anyone with information related to the CL0P ransomware gang. Given the success of these recent exploits, it’s likely to inspire other ransomware gangs — and that’s bad news for everyone (except, well, the criminals).

A Pattern, Not a Coincidence 

Why is CL0P so interested in going after file transfer software and why will it likely happen again? The short answer is ROI. 

If you’re going to spend years investing in a mass exploit, you’re going to want to make it count. Large businesses — many of them victims in the recent MOVEit attack — often use file transfer software to securely send sensitive data back and forth. Exploiting file transfer software, versus hacking into an organization’s environment and circumventing several stopgaps, saves threat actors a lot of time. 

With one successful exploit, file transfer software offers a straight path to the data threat actors want, as well as an abundance of downstream access to customers. Gigabytes of sensitive data are right there. And with few indicators of compromise, CL0P had ample opportunities to collect the information they needed.

Accellion

In March 2021, CL0P dipped its toes in the “file transfer software exploit” waters. At the time, Accellion File Transfer Appliance (FTA) was used by 300 businesses worldwide. CL0P leveraged several zero-day exploits to install a web shell on internet-facing Accellion FTA servers. Some high-profile victims included: Stanford University, Shell, Kroger, and Morgan Stanley. As part of the breach (and now par for the course) CL0P posted private information, like names, addresses, and even social security numbers to their leaksite. If victims don’t want their data exposed, they need to pay up. 

After the attack, many believed that CL0P was getting too popular for their own good. But two years later, they came back bigger. 

GoAnywhere

In January 2023, CL0P targeted a zero-day vulnerability within the GoAnywhere MFT platform. Over the course of 10 days, they exfiltrated data from over 100 victims and sent ransom notes to upper-level executives at the victim companies. They used a toolkit with various malware types, including Cobalt Strike (a security penetration tool used by incident response teams). 

At the time of the GoAnywhere exploit, it’s believed that CL0P threat actors already had an exploit for the MOVEit Transfer vulnerability, but decided to prolong their attacks — and time in the spotlight? — as opposed to doing both simultaneously.

MOVEit Zero-Day Fallout

And the hits just keep on comin’. 

To date, MOVEit is the most consequential file transfer attack ever recorded. Since the initial exploit over Memorial Day weekend, CL0P has listed 263 victims on their leaksite. And to add fuel to the fire? Progress Software announced several additional vulnerabilities following the initial exploit. While at this time, none of the following vulnerabilities have been exploited, it certainly gave at-risk organizations no time to catch their breath.

Some big names impacted by MOVEit include Deutsche Bank, the US Department of Energy, TJX Companies, and Estee Lauder Companies. Later, BBC and British Airways fell victim to the exploit as well — because their payroll vendor, Zellis, was hacked first.

 

 

Safeguard Your Organization

With so many types of file transfer software out there, catastrophic zero-day exploits like these may feel like they’re hitting a bit too close to home. As we watch victim counts multiply, it’s hard not to feel a sense of dread over the state of the threat landscape. But on the bright side, businesses can take several security measures to brave increasingly innovative cybercriminals:

Patch management

  • While zero-day exploits don’t provide much (or any) advance notice, no one wants to become an easy victim. When critical vulnerabilities are announced, it’s best to determine which are most likely to harm an organization. Anything that permits potential unauthorized access to your organization is a priority to patch. This especially includes file transfer software. If a patch isn’t yet available, follow any mitigation measures provided by the vendor.

Store data only as long as necessary

  • If you leave sensitive data in file transfer solutions indefinitely, threat actors get an uncontested slam dunk if they gain access to your environment. Your organization should have intentional processes in place around data retention policies, such as limiting exposure to the internet and establishing file expiration dates within the file transfer platform. 

Encrypt your data

  • Data should be encrypted while in motion and at rest; keep encryption keys separate from the encrypted data. 

The bottom line

If you use file transfer software of any kind, you should be paying attention. With the right risk mitigation steps, you can be better prepared for the unexpected.