Tag Archive for: CL0P

LockBit, Cl0P expand ransomware efforts

/in


LockBit in the lead, CL0P in 2nd

The report, Ransomware on the Move, looked at how exploitation techniques are evolving — including attackers’ sharpened focus on zero-day vulnerabilities. It showed how victims of multiple ransomware attacks were more than six times more likely to experience the second attack within three months of the first attack.

The authors from Akamai’s Security Intelligence Group reviewed data from the fourth quarter of 2021 to the second quarter of 2023. The authors reported that LockBit ensnared around 39% of all victim organizations tracked by Akamai, which said LockBit’s victim count is three times that of its nearest competitor, the CL0P group. Number three in volume of victims, ALPHV, aka Black Cat, focused its efforts on developing and exploiting zero-day points of entry (Figure A).

Top ransomware groups by victim count. Source: Akamai.
Top ransomware groups by victim count. Source: Akamai.

Anthony Lauro, director of security technology and strategy at Akamai, explained that LockBit looks for high value targets with zero day vulnerabilities that companies can’t fix quickly. They tend to target and retarget these organizations and the sectors — like manufacturing and technology for example — where security operations are lagging, generally. Also, he explained, malware writers can choose tools and services from a growing dark ecosystem.

The report spotlighted two trends that speak to how large groups — with reach and breadth of products including RaaS — have a stable growth and smaller groups focus on opportunities as they arise:

  • The first is exemplified by LockBit, characterized by a steady count of 50 victims per month, and activity seems tied to its number of affiliates and its resources.
  • The second, typified by groups like CL0P, feature spikes in activity from abusing critical zero-day vulnerabilities as they appear, and highly targeted security flaws.

“Malware writers can now split off operations, which is a change,” said Lauro. “It used to be that the attackers were a single entity or group that would be responsible for malware payload delivery, exploitation and follow up.” He added that, because of the open nature of the…

Source…

Cl0p Ransomware Strikes Deloitte, Company Refutes Breach

/in


IN SUMMARY

  • The Cl0P ransomware gang claims to have breached Deloitte.
  • Deloitte has refuted the claims made by the gang regarding the breach.
  • The Cl0P ransomware gang is actively exploiting the MOVEit vulnerability.
  • Deloitte is among the firms using the vulnerable MOVEit Transfer software.

The infamous Cl0p Ransomware has struck again, this time claiming to have targeted the multinational professional services network Deloitte. The ransomware gang, known for its high-profile attacks, claimed responsibility for breaching Deloitte’s infrastructure in a recent post on its dark web data breach blog. While Deloitte’s response refutes the claims, the incident highlights the ongoing risk posed by the MOVEit vulnerability.

Deloitte’s denial of the breach comes with a strong statement from the company’s Global spokesperson. In an exclusive response to Hackread.com, Deloitte stated that they found no evidence of any breach of client data during their analysis.

Cl0p Ransomware Strikes Deloitte, Company Refutes Breach
According to Cl0P, “The company doesn’t care about its customers, it ignored their security!!!” (Screenshot: Hackread.com)

The company took immediate action upon discovering the zero-day vulnerability, applying security updates and mitigating actions as per the vendor’s guidance. Furthermore, Deloitte claimed that their global network’s use of the vulnerable MOVEit Transfer software is limited, and their analysis revealed no impact on client data.

Immediately upon becoming aware of this zero-day vulnerability, Deloitte applied the vendor’s security updates and performed mitigating actions in accordance with the vendor’s guidance. Our analysis determined that our global network use of the vulnerable MOVEit Transfer software is limited. Having conducted our analysis, we have seen no evidence of impact on client data.

Deloitte Global Spokesperson

The Cl0p Ransomware group has been on a hacking spree, exploiting the MOVEit vulnerability to target major companies worldwide. Previous victims include renowned names like PWC business consulting firm, TD Ameritrade, Aon, Kirkland, and Ernest & Young, among others. The gang is now also notorious for using clearnet websites to publish stolen…

Source…

Lessons from CL0P and MOVEit

/in


Hacking group CL0P’s attacks on MOVEit point to ways that cyber extortion may be evolving, illuminating possible trends in who perpetrators target, when they time their attacks and how they put pressure on victims.

Malicious actors that successfully target software supply chains can maximize their reach, impacting the initial victims as well as their clients and clients’ clients. And Allan Liska, intelligence analyst at threat intelligence platform provider Recorded Future, noted that cyber extortion groups like CL0P have the money to buy zero-day vulnerabilities to compromise commonly used platforms.

Plus, perpetrators increasingly use threats to publish stolen data — more so than file encryption — to put pressure on victims and are exploring new ways of denying victims access to their data.


Still, cyber extortionists aren’t a monolith. While zero days make headlines, shoring up basic cyber defense can still go a long way toward defending against many of today’s ransomware attacks, said Tom Hofmann, chief intelligence officer for cyber intelligence and solutions provider Flashpoint.

And other extortionists are likely watching the MOVEit incident play out and drawing their own takeaways.

“With a lot of these, the first big attack, it gets the headlines, but these ransomware groups are learning at the same time,” Hofmann said. “They’re seeing what worked well, what didn’t, what tactics worked, and they’re learning from each other. So, the next go-around is going to be different.”

TIMING AND ATTACK METHODS

With MOVEit, CL0P struck around Memorial Day, notes risk and financial advisory solutions provider Kroll. This follows a trend of perpetrators timing their attacks for holiday weekends. The 2021 ransomware attack on software from IT company Kaseya also hit right before the Fourth of July holiday.

Groups like CL0P also appear to be putting attention on targeting widely used platforms and exploiting zero-day vulnerabilities.

The MOVEit compromise was CL0P’s third known attack on a file transfer service, each one netting more victims. Its 2020 Accellion exploit stole data from roughly 100 companies,…

Source…

CL0P ransomware hackers went after Illinois state agencies

/in


Ransomware hackers accessed systems used by Illinois government agencies for a few hours May 31, according to the Illinois Department of Innovation and Technology, which said Friday it’s not clear what information was accessed or affected but that they expect it to end up affecting a “large number” of people.

Federal authorities have attributed the attack to the CL0P Ransomware Gang, which also went after major companies around the world last month. CL0P hackers gained access to MOVEit software, getting in to Illinois’ network for about three hours, officials said.

Sanjay Gupta, Illinois’ chief information officer, said state security teams have verified “that the vulnerability could no longer be exploited in our system.”

Officials haven’t released information on what information could have been vulnerable — or whether a ransom was demanded for the compromised information, as the gang has done in the past.

The BBC, British Airways and Boots — Walgreens’ UK-based retail and health stores — previously told a combined 100,000 employees that payroll data might have been taken in the same attack on MOVEit systems used by their payroll provider.

Considered “one of the largest phishing and malspam distributors worldwide” by the federal Cybersecurity and Infrastructure Security Agency, CL0P has been blamed for compromising more than 8,000 organizations globally since 2019. 

The latest attack on MOVEit systems was launched earlier in May and discovered June 2.

A separate attack was conducted by the ransomware group in January, using phishing scams and threats to release information. Ransom notes were sent to “upper-level executives” of companies affected by the scams, with the emails claiming to have stolen “important information” from more than 100 victims, federal officials said.

“If you ignore us, we will sell your information on the black market and publish it on our blog,” the ransom notes threatened.

Hackers have targeted Illinois in the past. Illinois Attorney General Kwame Raoul’s office…

Source…