Who are CL0P?

CL0P are a ransomware group who were first identified in 2019. Unlike other ransomware groups they did not initially have their own release page (a website, usually on the Dark Web, to expose stolen data), finally creating one in March 2020. The group use a variant of a ransomware called CryptoMix, known to be used by a bad actor identified as TA505. At first the group would deploy the ransomware through malicious spam campaigns. However, as they grew and developed, they later began directly targeting executives at high profile companies. Once they had obtained data from an organisation a link would be sent to start negotiations, with threats to release the stolen data should they be ignored and the ransom remain unpaid.

In June 2021, 6 people believed to be members of the CL0P ransomware group were arrested as part of a joint operation called Op Cyclone. Op Cyclone was headed up by Interpol’s Cyber Fusion Centre in Singapore, in partnership with South Korean authorities. The arrests didn’t stop the group and in mid-2023 they caused the world to take notice with the MOVEit ransomware attack.

More about MOVEit

MOVEit is a managed file transfer software produced by Ipswitch, Inc., part of the US based company Progress Software. The MOVEit application is used by organisations across the world in a variety of industries including banking, healthcare, insurance, manufacturing, and education. It is also used by governments and public sector organisations. The application allows organisations to encrypt and transfer sensitive data. It also allows activity tracking, tamper-evident logging and centralised access controls.

How did It Happen?

The ransomware attack on the MOVEit software is believed to have taken place on Saturday 27^th May 2023 as a result of a zero day vulnerability. A zero-day vulnerability is a software vulnerability that is known to the software provider that has not yet been patched (patching is the process of updating software to fix bugs or other issues such as vulnerabilities), which leaves the software open to exploitation. CL0P exploited the vulnerability to carry out one of the biggest ransomware attacks of 2023 (if not, in fact, the largest). This attack gave them access to data from many organisations, mainly headquartered in the United States of America, including customer and employee information. Patches were released intermittently following the attack. These patches were issued in 4 parts, with the last patch released on the 5^th of July 2023. Not all clients applied the patches (which is not uncommon, a fact that is often exploited by bad actors), although the results do imply that the damage had already been done. CL0P carried out the attack using a technique called SQL injection. This essentially let the group take advantage of flaws in login fields which allowed them to drop a webshell into the MOVEit install directory. A webshell is a malicious script that allows someone to gain and maintain access to an organisations web server, as well as remotely execute commands. By doing this they were able to download any file contained within MOVEit’s cloud environment.

 CL0P gave organisations until the 14^th of June to pay the ransom, backed up by the threat of leaking their stolen data should they not comply. Starting in June 2023 CL0P began to leak data in waves, publishing it on their leak site. It is still unclear as to exactly how many organisations are affected, but as of December 2023 the number is believed to be over 2600.

In addition to the organisations using the MOVEit software, this attack indirectly affected third parties such as their supply chains and their customers, potentially impacting 90 million individuals.

The Victims

Following the attack, CL0P released a statement stating that they had no interest in exposing data from governments, nor municipal or law enforcement agencies. Notable victims include the BBC, British Airways and Boots, although they may not necessarily be the organisations that have felt the full impact of this attack. The California Public Employees Retirement System (CalPERS) is a perfect example of the knock-on effect this has had, and will most likely continue to feel the effects for some time. Their vendor is a company called PBI Research services and it was their data that was breached. PBI provide services which identify CalPERS members deaths so that payments can be made to retirees and beneficiaries. Almost 770 thousand individuals had shared their private personal information with CalPERS, who then shared it with the organisation PBI Research Services who were one of the victims of the MOVEit ransomware attack, resulting in the data being exposed. PBI Research Services are now being sued under claims that they did not maintain reasonable security measures to keep this data secure.

A ransomware attack can have a significant impact on an organisation, especially financially. When carrying out an attack some groups may make attempts to disrupt an organisations daily operations resulting in financial losses. There can be significant costs incurred to restore lost data, fix damaged systems and to pay legal expenses if data privacy laws have been broken or if reasonable measures weren’t in place to keep data secure, as is claimed by CalPERS in their lawsuit against PBI. As well as any financial losses the organisations reputation can be severely damaged. As is the case with the MOVEit attack many customers of organisations using the MOVEit application have been affected due to their personal information being stolen. This can cause severe reputational damage to an organisations image resulting in negative publicity, loss of customers and concerns from investors.

The risk of an attack can be mitigated and it’s important that implemented security measures are not only suitable, but maintained so that they are kept up to date. Firewalls and anti- malware software are important, as is educating employees on the tactics used by ransomware groups such as phishing and social engineering. Additionally, appropriate vetting should be carried out when working with third party organisations or managed service providers who will be handling sensitive or personal data. Data should always be securely backed up and an incident response plan in place should there be an attack so that measures can readily be put in place.

Sources

https://www.ncsc.gov.uk/information/moveit-vulnerability

https://www.wired.com/story/moveit-breach-victims/

https://www.experian.com/blogs/ask-experian/moveit-data-breach/

https://www.infosecurity-magazine.com/news/movit-exploit-record-ransomware/

https://www.cybersecuritydive.com/news/progress-software-moveit-meltdown/703659/

https://cybermagazine.com/operational-security/moveit-cyberattack-anxieties-turning-ransomware-into-action

https://techcrunch.com/2023/08/25/moveit-mass-hack-by-the-numbers/?guccounter=1&guce_referrer=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8&guce_referrer_sig=AQAAANmjqM4r5xiGi-0GUbeNH2LnhkxtkOX7DLCIEMSmrazRVIArf39_Des2yO9yzwvrF7Sxe0OClJFqNAH2VQuBbsE4q0bkID_D-wXkEZQ674gNP3wcBeYh5MznaPQH6N0kuIoLErJWS-GUU6qv6Sf-284H-YS7K8SXiqu7skd3so-N

https://konbriefing.com/en-topics/cyber-attacks-moveit-victim-list.html

https://www.theregister.com/2023/11/20/moveit_victim_77m_medical/

https://malpedia.caad.fkie.fraunhofer.de/details/win.clop

https://www.progress.com/moveit

https://www.kolide.com/blog/moveit-hack-the-ransomware-attacks-explained

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.