Lessons From Clop: Combating Ransomware and Cyber Extortion Events

/in


Lessons from Clop

It’s been one month since the Clop ransomware group began exploiting the MOVEit vulnerability (CVE-2023-34362 (VulnDB ID: 322555) to claim nearly 100 victims across the globe, many of which have come public. This attack comes on the heels of Clop leveraging the GoAnywhere MFT vulnerability (CVE-2023-0669), which led them to claim they’d illegally obtained information for more than 100 companies.

When a ransomware or cyber extortion event occurs, security teams are racing against the clock:

  • What do we know about the cybercriminal group that’s claiming responsibility for an attack or double extortion?
  • Is our organization affected? If so, what is the extent of the breach and its impact on our systems, networks, people, and data?
  • How do we respond to and mitigate the situation?
Flashpoint Ignite’s finished intelligence is readily available to all teams to help mitigate risk across the entire organization.

These questions are of vital importance to organizations across the public and private sectors. And the recent Clop attacks—which affected organizations across the globe in nearly every vertical—are yet another example of why it’s vital to have proactive defense measures in place.

Targeting upstream data providers

First, it’s vital to have a deep understanding of the adversary, such as a RaaS (ransomware-as-a-service) group like Clop. Here are five ways that ransomware groups like Clop attack targets, as well as the threat vectors they seen to exploit:

  1. Supply chain attacks. As illustrated through MOVEit, Clop often targets upstream software vendors or service providers so that it can cast a wide net. A number of the known Clop victims are companies who were attacked via a third-party vendor. Attackers like Clop may exploit vulnerabilities in the communication or data exchange between these companies, or compromise the software or hardware components supplied by third-party providers to inject malicious code or backdoors.
  2. Cloud Service Providers (CSP). If a cloud service provider experiences a security breach, it can potentially impact third parties that utilize their cloud services in several ways. Clop successfully breached a cloud service…

Source…