Three of the “Big Four” accounting firms have now publicly confirmed they have been impacted by the MOVEit file-transfer platform attacks, orchestrated by the Clop threat group, believed to be linked to Russia. The Big Four accounting firms are responsible for auditing over 80% of all U.S. companies.
The overall scope of the Clop attacks is growing, along with the number of publicly known victims, and recent reports indicate the Clop ransomware gang will likely earn more than $75 million in ransom payments.
BlackBerry helps shield its customers from the multiple attack tools Clop uses.
How BlackBerry Shields Customers from Clop
BlackBerry has verified that its cybersecurity software, powered by Cylance® AI, protects against these vulnerabilities. Cylance pioneered the use of AI in preventing cybersecurity attacks and was the first to embed AI in its prevention engine. By using this battle-tested AI, CylanceENDPOINT™ convicts payloads that are known to be associated with these attacks. Specifically:
- CylanceOPTICS® is able to detect the file creation of the LEMURLOOT web-shell — used in this attack sequence — based on the behavior of the web server. This is implemented by a custom rule created by BlackBerry.
- CylanceEDGE™ detects and blocks network indicators of compromise (IoCs) with high risk related to Clop.
“It’s important to note, there is no single silver bullet in cybersecurity,” says BlackBerry Vice President of Threat Intelligence Ismael Valenzuela. “There’s never been one, and there never will be. But organizations that take a holistic and a threat-informed approach to cybersecurity are always better-prepared to defend against these attacks.”
The Clop MOVEit Cyberattacks Explained
The recent Clop ransomware strike against users of the MOVEit file-transfer platform is compromising networks around the world. The cyberattack, flagged by U.S. government and security researchers on June 1, saw the Clop gang exploit a critical zero-day vulnerability (now patched) in MOVEit’s digital infrastructure, which allowed the threat actors to break into multiple corporate networks and steal data.
In a post on Clop’s Telegram channel, the ransomware operators demanded victims pay them by June 14, or have their most sensitive data exposed to the world.
So far, named victims of the MOVEit attacks have included U.S. government agencies, airlines and media companies, an oil giant, health services, international consulting firms, and many more. Clop’s operators and affiliates have hit almost every industry vertical.
Who is the Clop Ransomware Gang?
The Clop (also referred to as CLOP or Cl0p) ransomware syndicate is believed to originate or be based in Russia — which has a long history of tacitly supporting or providing safe harbor for cybercriminals who engage in state-condoned and state-ignored attacks. The group targets Windows® OS, and runs its operations using a ransomware-as-service (RaaS) model.
First seen in the wild in 2019, researchers have reported that Clop ransomware is a popular final payload for attacks conducted by FIN11. FIN11 is a financially-motivated Russian threat group responsible for a subset of the activity attributed to TA505.
The ransomware operators are well-known for their multi-level extortion techniques and large toolset. For example, Clop ransomware comes equipped with anti-analysis and anti-virtual machine (VM) capabilities. Another disconcerting feature is its ability to disable anti-malware applications such as Windows Defender and Microsoft® Security Essentials before it starts its encryption routine.
Growing Number of Clop Victims
At the time of this post, there have been at least 545 victims of the MOVEit vulnerability exploit, who were either affected directly or indirectly, by Clop. That number is based on data breach notifications released publicly by victims, as well as Clop's own data leak site.
Now, the U.S. Justice Department has offered a reward of up to USD$10 million for information that leads to the location and conviction of the Clop ransomware gang.
The threat actors’ choice of targeting file-transfer platforms was far from random; rather, it shows a calculated choice of targets, as these platforms are most frequently utilized for the secure transfer of sensitive data, such as payroll or legal information.
Clop is known to target organizations in the United States, Canada, Latin America, Asia Pacific, and Europe, especially those that generate revenue of $5 million or more annually.
Read the Clop Ransomware Threat Report for a deep-dive technical analysis.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has strongly advised all MOVEit clients to check their networks for indications that bad actors may have obtained unauthorized access to their networks during the past 30 days.
CISA also recommends users review Progress Software’s MOVEit Transfer article, and apply product updates as applicable for security improvements. The Service Pack addresses the three new vulnerabilities (CVE-2023-36934, CVE-2023-36932, CVE-2023-36933) in MOVEit Transfer that a cyber threat actor could exploit to obtain sensitive information.
Read our MOVEit Mitigations blog for extra tips on defending against Clop attacks.
If you or your organization may have been compromised by any of the malicious code or activities referenced in this blog, please contact the BlackBerry Incident Response Team. The team can work with organizations of any size and across any vertical industry, to evaluate and enhance your endpoint security posture and proactively maintain the security, integrity, and resilience of your network infrastructure.
For similar articles and news delivered straight to your inbox, subscribe to the BlackBerry Blog.