The Clop group’s mass exploitation of MOVEit file-transfer software represents the latest stage of innovation in the ever-evolving ransomware ecosystem.
As with all cybercrime, criminals’ imperative is simple: maximize illicit profits via the least amount of effort, time and risk. Russian-speaking criminal group Clop’s attacks have affected at least 421 organizations – and likely many more.
“It is likely that the Clop group may earn $75 million to $100 million just from the MOVEit campaign, with that sum coming from just a small handful of victims that succumbed to very high ransom payments,” ransomware response firm Coveware assesses. “This is a dangerous and staggering sum of money for one relatively small group to possess.”
Clop’s success comes despite a decline in the number of victims who pay a ransom. Based on the thousands of cases it helped investigate during the second quarter of this year, Coveware reports that “successfully getting paid from an encryption attack has become harder,” with the quantity of organizations who paid falling to a record low of 34%, down from 45% during the first three months of the year.
But, when victims did pay, they paid more – $740,144 on average, up 126% from the first quarter, thanks in no small part thanks to Clop’s campaign. The median ransomware payment also increased, rising by 20% to reach $190,424, it said.
With ransomware profits in decline, groups have been exploring fresh strategies to drive them back up. While groups such as Clop have shifted tactics away from ransomware to data theft and extortion, other groups have been targeting larger victims, seeking bigger payouts. Some affiliates have been switching ransomware-as-a-service provider allegiance, with many Dharma and Phobos business partners adopting a new service named 8Base, Coveware says.
Numerous criminal groups continue to wield crypto-locking malware. The most number of successful attacks it saw during the second quarter involved either BlackCat or Black Basta ransomware, followed by Royal, LockBit 3.0, Akira, Silent Ransom and Cactus.
One downside of crypto-locking malware is that attacks designed to take down the largest possible victims, in pursuit of the biggest potential ransom payment, typically demand substantial manual effort, including hands on keyboard time. Groups may also need to purchase stolen credentials for the target from an initial access broker, pay penetration testing experts or share proceeds with other affiliates. If the attack ultimately fails or the victim declines to pay a ransom, this investment will be wasted. Hence the appeal of not wielding crypto-locking malware, but rather data extortion.
Clop has been experimenting with extortion-only attacks, using mass exploitation of a vulnerability to maximize its chances of getting paid without having to carefully and manually hack its way into targets. “Over the last two years, Clop has abused four vulnerabilities in appliances that would either lead to the deployment of Clop ransomware or the exfiltration of victim organizations’ data,” cybersecurity consultancy NCC Group said in a recent research report.
How Clop learned about these vulnerabilities remains unclear. One likely explanation is that the group paid a third party or individual for exclusive use, and perhaps even commissioned them to look for flaws in widely used file-transfer software in the first place.
The impact of Clop’s supply chain attacks has continued to increase. The group’s campaign against GoAnywhere MFT secure managed file transfer software users that began on Jan. 25 – and ran until vendor Fortra patched flaw on Feb. 7 – racked up at least 130 different victims.
Clop timed its mass exploitation of Progress Software’s MOVEit file-transfer software to begin around May 29, likely to take advantage of the Memorial Day holiday weekend in the United States and amass as many victims as possible. The group exploited a zero-day vulnerability – designated CVE-2023-34362 – to steal data from MOVEit servers pertaining to what experts say could well be more than 1,000 organizations. This includes victims running the servers, as well as those victims’ customers, especially for service providers.
Known victims include UCLA, Siemens Energy, consultancies EY and PwC, gas and oil giant Shell, PBI Research Services, the TIAA, the U.S. government departments of Energy and Agriculture as well as the Office of Personnel Management, Louisiana and Oregon’s registries of motor vehicles, British communications regulator Ofcom, the government of Canadian province Nova Scotia and the Teachers Insurance and Annuity Association of America.
Clop appears to have practiced extreme patience before unleashing its MOVEit campaign, which may have only run for 48 hours. Security researchers at incident response firm Kroll have reported that the attackers appear to have known about CVE-2023-34362 and been experimenting with it via manual attacks since at least July 2021. “The Clop threat actors potentially had an exploit for the MOVEit Transfer vulnerability prior to the GoAnywhere MFT secure file transfer tool exploitation … but chose to execute the attacks sequentially instead of in parallel,” Kroll’s researchers reported.
One risk, of course, is that Clop, or another ransomware group seeking to emulate its success, has yet more zero-day vulnerabilities for widely used software up its sleeve, now waiting to be used.