Search This Blog

Showing posts with label Clop Ransomware. Show all posts

UK Water Provider Targeted by Clop Group Ransomware

The UK water supplier, South Staffordshire Water fell prey to a CLOP Ransomware attack. Following the attack, the company released a statement mentioning that the exploit had no effect on the systems that distribute water safely. 

South Staffordshire Water plc, also known as South Staffs Water, is a UK water supply firm that supplies water to a small portion of the West Midlands, Staffordshire, and other nearby counties in England.

Over 1,500 square kilometers in the West Midlands, South Staffordshire, South Derbyshire, North Warwickshire, and North Worcestershire, South Staffordshire provides drinking water to about 1.3 million individuals and 35,000 commercial clients.

The company was able to offer Cambridge Water and South Staffs Water customers safe water because of the security measures in place. Additionally, South Staffordshire Water reassures its clients that all service teams are working normally, negating any possibility of prolonged disruptions as a result of the incident.

Alongside carefully collaborating with the relevant governmental and regulatory agencies, the company is looking into the issue. The supplier's identity was published to the Clop ransomware gang's Tor leak site along with a claim of responsibility for the attack.

The wrong firm extorted by hackers

The Clop ransomware gang's Tor leak site through a release on their onion website today stated that Thames Water was their target. They claimed to have gained access to SCADA systems that they could control to affect 15 million users.

The hackers contend that they acted appropriately by not encrypting their data and only stealing 5TB from the hacked systems. Further claims have it that they warned Thames Water of its network security flaws. However, after allegedly failing to reach an agreement on the ransom payment, the actors released the first sample of stolen information, which included passport images, screenshots from SCADA systems used for water treatment, driver's license images, etc.

In a statement released today, Thames Water formally refuted these assertions, further asserting that any accusations of Clop breaching its network were "cyber-hoaxes" and that its services were already at capacity. One significant aspect of the lawsuit is that, among the public material, Clop offers a table of usernames and passwords that includes the email addresses of South Staffordshire and South Staff Water.

This incident occurs as eight locations in the UK are enforcing water rationing rules and hosepipe bans because of extreme drought. Due to the extreme pressure that could be placed on water suppliers to pay the demanded ransom, cybercriminals don't choose their victims at random.

However, for this to happen, Clop must target its threats on the appropriate party. However, given the amount of attention the situation has received, it's likely too late for that at this point.

The Clop Ransomware Gang Leaked Sensitive Data from the UK Police

 

Clop ransomware operators seized confidential information held by the British police, according to the media, and the cybercriminal group targeted the IT firm Dacoll. According to the media, cybercriminals used a phishing attack to compromise the company's systems, which had access to the police national computer. The Mail reported the security breach on December 19, 2021, while the gang released the stolen material on its leak site on the dark web. 

Clop Ransomware, a member of the well-known Cryptomix ransomware family, is a nasty file-encrypting virus that deliberately avoids unprotected systems and encrypts saved files by planting the .Clop extension. It uses the AES cypher to encrypt images, videos, music, databases, papers, and attaches the .CLOP or.CIOP file extension which stops victims from accessing personal information. For instance, "sample.jpg" is renamed "sample.jpg.Clop." 

Clop virus gets its name from the Russian word "klop," which means "bed bug" — an insect of the genus Cimex that feeds on human blood at night. Clop ransomware is regarded as extremely severe malware due to the virus's ability to infect the majority of operating system versions, including Windows XP, Windows 7, Windows 8, Windows 8.1, and Windows 10. 

The security breach occurred in October, when Clop ransomware operators obtained access to Dacoll data, including that of the PNC, which contained personal information and records for 13 million people. Dacoll, while confirming the data breach said, “We can confirm we were the victims of a cyber incident on October 5.”  

“We were able to quickly return to our normal operational levels. The incident was limited to an internal network not linked to any of our clients’ networks or services.” 

“The cyber-criminal gang Clop has released some of the material it plundered from an IT firm that handles access to the police national computer (PNC) on the so-called ‘dark web’ – with the threat of more to follow.” reported the Daily Mail. “Clop is believed to have demanded a ransom from the company, Dacoll, after launching a ‘phishing’ attack in October." 

Dacoll declined to pay and did not reveal the sum of the ransomware gang's demand. Photographs of motorists exfiltrated from the National Automatic Number Plate Recognition (ANPR) system, footage, and close-up images of the faces of drivers who have committed traffic offenses are among the stolen information.

French Authorities Have Detained a Suspect in Case of Money Laundering of €19 Million

 

This week, French authorities apprehended a suspect under suspicion of laundering more than €19 million ($21.4 million) in ransomware extortion payouts. 

Law enforcement agencies have not revealed the accused's name, which has only been recognized as a person from the Vaucluse area in southeast France, and neither the title of the ransomware organization with which he worked. 

The detention this week follows as law enforcement agencies throughout the world have started to collaborate and crackdown on ransomware activities following years of recurrent attacks, most of which have disrupted government agencies and private sector organizations on many occasions. 

This year has seen several crackdowns targeting ransomware gangs, including: 

  • February – The arrest of Egregor/Maze members in Ukraine. 

According to French radio station France Inter, participants of the Egregor ransomware cartel were apprehended in Ukraine. The existence of a law enforcement activity was already verified by sources in the threat intelligence community. The Egregor gang, reportedly began operations in September 2020, follows a Ransomware-as-a-Service (RaaS) strategy. They rent ransomware strain access, but they depend on some other cybercrime gangs to organize attacks into corporate networks and distribute the file-encrypting ransomware. 

  • March – The arrest of a GandCrab affiliate in South Korea. 

The arrest of a 20-year-old accused on allegations of spreading and infecting victims with the GandCrab ransomware was announced by South Korean national police. The accused, whose identity has not been revealed, was a client of the GandCrab Ransomware-as-a-Service (RaaS) cybercrime organization. Police described the suspect as an associate — or a distributor — who operated by obtaining copies of the GandCrab ransomware and spreading them via email to victims around South Korea. 

  • June – The arrest of a group of Ukrainian money launderers who worked with the Clop gang.

Representatives of the Clop ransomware gang, who were apprehended in Ukraine as part of an international law enforcement operation, also provided money-laundering facilities to other cybercrime organizations. The group was involved in both cyber-attacks and "a high-risk exchanger" that laundered funds for the Clop ransomware gang and other criminal groups, according to cryptocurrency exchange portal Binance. 

  • September – Sanctions against Suex, a Russian crypto-exchange used to process ransomware 

Suex, a cryptocurrency exchange incorporated in the Czech Republic but managed by Russia, was sanctioned by the US Treasury. According to a blockchain analysis company, Suex has assisted ransomware and other cybercrime organizations in laundering more than $160 million in stolen assets. Suex has aided in the processing of ransom payments to gangs like Conti, Ryuk, and Maze.

  • October – The arrest of 12 suspects behind the LockerGoga ransomware. 

According to Europol, twelve members of a ransomware cell were apprehended in Ukraine and Switzerland. The accused are suspected of orchestrating the ransomware attack that damaged Norsk Hydro in 2019, the organization was linked to 1,800 ransomware assaults in 71 countries.

  • November – The arrest of a REvil affiliate in Ukraine for the Kaseya attack. 

The US Department of Justice charged a 22-year-old Ukrainian national with coordinating the ransomware assaults against Kaseya servers on July 4th of this year.

  • December – The arrest of a Canadian citizen for the attack against an Alaskan healthcare provider. 

Since 2018, Canadian authorities had jailed an Ottawa resident on suspicion of organizing ransomware attacks on commercial companies and government agencies in Canada and the United States.

Swire Pacific Offshore Hit by a Ransomware Attack

 

Swire Pacific Offshore (SPO) reported that it had been the victim of a cyberattack that resulted in the theft of "some confidential proprietary commercial information" as well as personally identifiable information. The details of the incident are unknown, however, there are indications that it was carried out by the CL0P ransomware organization. 

SPO hasn't acknowledged whether or not the attack is ransomware-based, however, CL0P has now modified its blog, alleging that it has accessed SPO's servers. 

IT Pro has observed full names, addresses, phone numbers, company names, bank details, email addresses, and passport scans among some of the stolen data. Employees in Singapore and Malaysia appear to be among the most impacted, however, some information belonged to employees in the United Kingdom, China, and the Philippines. 

File names referencing payment requests, mailbox backups, random archives, and other individual folders are among all the other files acquired. The business is the Swire conglomerate's marine services section, and it has stated that the hack did not affect its international operations. 

"SPO has taken immediate actions to reinforce existing security measures and to mitigate the potential impact of the incident," it said to IT Pro. 

"It takes a serious view of any cyberattack or illegal accessing of data or any unlawful action that potentially compromises the privacy or confidentiality of data and will not be threatened by such actions.SPO has reported the incident to the relevant authorities and will work closely with them concerning the incident. SPO is contacting potentially affected parties to inform them about the incident." 

SOS Intelligence, a dark web monitoring service, drew notice to CL0P's ransomware blog on Wednesday, including Swire Pacific Offshore to its list of victims. 

CL0P is a deadly ransomware gang responsible for several recent high-profile hacks. Donald Trump's previous law firm, Jones Day, was also attacked by CL0P in February of this year, with sources claiming that papers were stolen and uploaded online, similar to the SPO incident, although the law firm denied the compromise. 

CL0P is also suspected of being responsible for the months-long cyberattack on Accellion's File Transfer Application (FTA) product in February 2021. Canada's Bombardier airline has been among the most high-profile victims of the hack, which exploited various zero-day holes in the outdated IT product. Months later, global investment bank Morgan Stanley announced that the very same Accellion data breach had obtained and stolen personal information from its corporate clients.

Beaumont Health: The Latest Victim of Accellion Breach

 

Beaumont Health, headquartered in Michigan, is the latest victim of the Accellion data breach, which began in December 2020 and has so far claimed 100 victims. Threat actors exploited zero-day vulnerabilities in Accellion's File Transfer Application (FTA), compromising the data of millions of patients. 

Approximately 1500 patients have been alerted by Beaumont Health that their personal information may have been compromised as a result of the December cyberattack on Accellion software. Beaumont hired Goodwin Procter LLP to offer legal services, and the firm used Accellion's File Transfer software to make massive transfers on behalf of its customers. 

Goodwin notified the healthcare provider on February 5 that patient data had been breached. Following the announcement of the Accellion breach, Goodwin conducted a digital forensics investigation and discovered that an unknown person had exploited a vulnerability in the application to obtain specific documents. 

“The potentially impacted information included a listing of roughly 1500 patients who had one of two procedures performed at a Beaumont Hospital,” mentioned in a statement issued on August 27 by Beaumont Health. 

“The list included the patient name, procedure name, physician name, the internal medical record number and the date of service. This incident is limited to these patients and does not affect all patients of Beaumont.” 

The healthcare provider also stated that the breach had no financial implications and neither Beaumont nor Goodwin had discovered any indication of the exposed data being exploited. 

On behalf of Beaumont, Goodwin contacted impacted people via mail on August 27 at their last known address to inform them about the data breach. The letter advises patients on the actions they should take to protect themselves from identity theft. 

“The notice letter specifies steps impacted individuals may take to protect themselves against identity fraud, including enrolling in complimentary credit monitoring services (if eligible), placing a fraud alert/security freeze on their credit files, obtaining free credit reports, remaining vigilant in reviewing financial account statements and credit reports for fraudulent or irregular activity on a regular basis and taking steps to safeguard themselves against medical identity theft,” stated Beaumont. 

“At Beaumont, protecting the privacy of personal information is a top priority,” the statement concluded. 

Goodwin is examining its data security policies and protocols in the aftermath of the incident. 

Accellion is now facing lawsuits

As the number of breaches escalates, Accellion is experiencing over a dozen lawsuits. In February, the Cybersecurity and Infrastructure Security Agency (CISA), together with security agencies in the United Kingdom, New Zealand, Singapore, and Australia, issued a warning to companies about the Accellion hack. 

Clop ransomware took responsibility for the assault and abused four previously unknown vulnerabilities. Some of the ransomware group's most recent victims include Kroger, Bombardier, Southern Illinois University School of Medicine, and Trillium Community Health Plan. 

In April, Trinity Health, located in Michigan, alerted over 580,000 patients that their information had been compromised. Demographic data, names, medical record numbers, and medical tests were among the information stolen. 

Centene also alerted over 1.3 million patients of the Accellion data leak in April. Contact information, birthdates, insurance ID numbers, and treatment information were all acquired by the hackers. 

During a major extortion attempt, the Clop ransomware published stolen data online, and some of the affected companies got emails from the intruders attempting to intensify extortion attempts. The number of victims continues to rise months after the initial attack.

Cl0p Ransomware Group Announces New Victim After Police Arrest

 

The renowned Cl0p ransomware operation appears to be back in business, just days after Ukrainian police arrested six alleged members of the gang. The arrests were recognized as a win against a hacker group that has targeted dozens of victims in recent months, including Flagstar Bank, Jonesday Law Firm, Shell, and a number of US universities. 

Numerous suspects believed to be affiliated with the Cl0p ransomware group were arrested last week in a law enforcement operation led by the National Police of Ukraine and officials from South Korea and the United States. It's considered to have been the first time a national law enforcement agency has made mass arrests in connection with a ransomware attack. 

The Ukrainian authorities said at the time that they had successfully shut down the gang's server infrastructure. However, it does not appear that the operation was entirely successful as less than a week later, the gang's hackers posted information on their dark website that they claimed was obtained from a new victim. This new breach, intended to put pressure on the corporation to pay the money demanded by the hackers, indicates that the arrests in Ukraine have had no effect on the hackers. 

It's unknown when the new company was hacked, and whether the data was hacked before the arrests but hadn't been made public until now, or whether it was a whole new hack. In any case, it shows that the group is still operational in some capacity. 

In an email, Brett Callow, a security researcher at Emsisoft, who specializes in tracking ransomware, said, "The fact that data has been posted suggests that the action by the Ukrainian police may not have involved core members of the threat group or completely disrupted their operations." 

Though the hackers did not respond to an email sent to the address listed on their website right away. In an email to Motherboard last week, the Cyber-Police Department of Ukraine's National Police stated it had "identified six perpetrators," but refused to address any specific questions regarding the people arrested "so as not to jeopardize the investigation." 

The police said they searched the houses and automobiles of the alleged hackers in and around Kiev 21 times. The cops reported that they have seized 500 million Ukrainian hryvnia (approximately $180,000), as well as computers and automobiles. On Tuesday, the police did not immediately respond to an email seeking comment.

Cl0p ransomware was identified in early 2019, and it has since been tied to a number of high-profile attacks. These include the April 2020 data breach at ExecuPharm in the United States, as well as the data breach at Accellion, in which hackers exploited vulnerabilities in the IT provider's software to steal data from dozens of customers, including the University of Colorado and cloud security firm Qualys.

Suspects Linked to the Clop Ransomware Gang Detained in Ukraine

 

Following a joint operation by law enforcement agencies from Ukraine, South Korea, and the United States, multiple persons alleged to be affiliated with the Clop ransomware gang have been arrested in Ukraine. Six arrests were made during searches at 21 locations in Kyiv and the surrounding regions, according to the National Police of Ukraine's Cyber Police Department. 

While it's unclear if the defendants are ransomware affiliates or core developers, they're accused of a "double extortion" technique in which victims who fail to pay the ransom are threatened with the leak of data stolen from their networks before their files are encrypted. “It was established that six defendants carried out attacks of malicious software such as ‘ransomware’ on the servers of American and [South] Korean companies,” alleged Ukraine’s national police force in a statement. 

The police also seized equipment from the alleged Clop ransomware gang, which is accused of causing $500 million in financial losses. This includes computer equipment, a Tesla and a Mercedes, as well as 5 million Ukrainian Hryvnia (about $185,000) in cash. 

Authorities also claim to have successfully shut down the server infrastructure used by gang members to launch prior operations. “Together, law enforcement has managed to shut down the infrastructure from which the virus spreads and block channels for legalizing criminally acquired cryptocurrencies,” the statement added. 

“The Cl0p operation has been used to disrupt and extort organizations globally in a variety of sectors including telecommunications, pharmaceuticals, oil and gas, aerospace, and technology,” said John Hultquist, vice president of analysis at Mandiant’s threat intelligence unit. 

In February 2019, the gang launched an attack on four Korean organizations, encrypting 810 internal services and personal PCs. Clop has since been connected to a slew of high-profile ransomware attacks. These include the attack on ExecuPharm, a US pharmaceutical company, in April 2020, and the attack on E-Land, a South Korean e-commerce company, in November, which prompted the retailer to close over half of its outlets.

Clop is also related to the Accellion ransomware attack and data theft, in which hackers exploited flaws in the IT firm's File Transfer Appliance (FTA) software to steal data from dozens of its clients. Singaporean telecom Singtel, law firm Jones Day, supermarket retail chain Kroger, and cybersecurity firm Qualys are among the victims of this breach.

BCPS Hit by Conti Ransomware Gang, Hackers Demanded $40 Million Ransom

 

Several weeks ago, the Conti ransomware gang encrypted the systems at Broward County Public Schools and took steps to release sensitive personal information of students and staff except if the district paid a colossal $40 million ransom. Broward County Public Schools, the country's 6th biggest school district with an annual budget of about $4 billion, enlightened parents about a network outage on March 7 that adversely affected web-based teaching, but dependent on this new data, the incident was unmistakably much more serious. 

First reported by DataBreaches.net, the hackers took steps to disclose a huge trove of personal information, including the social security numbers of students, teachers, and employees, addresses, dates of birth, and school district financial contact information. "Upon learning of this incident, BCPS secured its network and commenced an internal investigation,” the statement continued. “A cybersecurity firm was engaged to assist. BCPS is approaching this incident with the utmost seriousness and is focused on securely restoring the affected systems as soon as possible, as well as enhancing the security of its systems." 

The hackers published screenshots of a text message from mid-March between them and a district official — clearly a negotiation for the hackers to deliver the documents back to the district. 

“The good news is that we are businessmen,” the text message from the hackers said. “We want to receive ransom for everything that needs to be kept secret, and don’t want to ruin your reputation. The amount at which we are ready to meet you and keep everything as collateral is $40,000,000.” 

After weeks of negotiations, the hackers in the end brought the proposal down to $10 million. Under district policy, that sum is the maximum it can pay without school board approval. 

Broward County's case was one of a few ransomware assaults that hit educational institutions in the past two weeks. The Clop ransomware gang was very active, with reported cases influencing the University of Maryland, Baltimore Campus (UMBC); the University of California, Merced; the University of Colorado; and the University of Miami. Jamie Hart, cyber threat intelligence analyst at Digital Shadows noticed that these assaults were led by the Clop gang and were targeted as a part of the Accellion FTA breach.

Cyberextortion Threat Evolves as Clop Ransomware Attacked 6 U.S Universities Data Security

 


Malicious actors are now using novel ways to extract universities' data, and are threatening to share stolen data on dark websites unless universities pay them a lot of money. 
The current update reads that the Clop ransomware group claimed to have access to six top universities of the United States including institutions’ financial documents information and passport data belonging to their staff and students. According to the report, a group of hackers has first posted the stolen data online on March 29. 

The universities' that have been attacked, include — The University of Miami, the Yeshiva University, the University of Maryland, the Stanford University, the University of Colorado Boulder, And the University of California, Merced. 

However, there is no official confirmation regarding this cyber-attack from any of the aforementioned universities, it's unsure whether or not the cyberinfrastructure of these universities has been attacked or the hacker group asked for money in exchange for data. 

Additionally, a few days back, Michigan State University also confirmed a cyber attack by a group that was threatening to share it on the dark websites unless a bounty is paid. 

The data stolen by the Clop ransomware group include federal tax documents, passports, requests for tuition remission paperwork, tax summary documents, and applications for the Board of Nursing. 

This data breach affected several individuals and staff of the universities as the shared information also exposed sensitive credentials, such as names of individuals, date of birth, photos, home addresses, immigration status, passport numbers, and social security numbers. 

Not only this, but some news websites also confirmed that the leaked data included several more screenshots including retirement documentation, and 2019/2020 benefit adjustment requests, late enrollment benefit application forms for employees, and the UCPath Blue Shield health savings plan enrollment requests, amid much more. 

It should be noted that such attacks are not unusual for the Clop ransomware group as the group is known for its assault against various organizations. Furthermore, Michigan State University’s officials stated in the regard that, “Payment to these criminals only allows these crimes to be perpetuated and further target other victims. The decision not to pay was in accordance with law enforcement guidance and reached with support from the university’s Board of Trustees and president”.

Shell’s Employees’ Visas Dumped Online as part of Extortion Attempt

 



Royal Dutch Shell became the latest corporation to witness an attack by the Clop ransomware group. The compromised servers were rebuilt and brought into service with a new Accellion security patch; the security patch eliminates the vulnerabilities and enhances security controls to detect new attacks and threats. 

"A cyber incident impacted a third-party, Accellion, software tool called the File Transfer Appliance (FTA) which is used within Shell," stated Shell spinner. In a statement last week, Shell confirmed that it too was affected by the security incident but it has only affected the Accellion FTA appliance which is used to transfer large data files securely by the company. 

In an attempt to bribe the company into paying a ransom, the criminals behind the malware have siphoned sensitive documents from a software system used by Shell and leaked some of the data online, including a set of employees' passports and visa scans. The idea being that once the ransom is paid, no further information will be released into the public domain. 

As stated by Shell, the data accessed during a “limited window of time” contained some personal data together with data from Shell companies and some of their stakeholders. The company to downplay the impact stated that “there is no evidence of any impact to Shell’s core IT systems,” and the server accessed was “isolated from the rest of Shell’s digital infrastructure.” But it did acknowledge that the crooks had probably grabbed “some personal data and data from Shell companies and some of their stakeholders.” 

Previously this month, files from infosec outfit Qualys, including purchase orders, appliance scan results, and quotations also surfaced on the extortionists' hidden site. Other victims include Canadian aerospace firm Bombardier, which had details of a military-grade radar leaked, London ad agency The7stars, and German giant Software AG.

The group has now posted several documents to its Tor-hidden website, including scans of supposed Shell employees' US visas, a passport page, and files from its American and Hungarian offices, in order to persuade Shell to compensate the hackers and prevent more stolen data from leaking. 

According to BleepingComputer, to stack up the pressure, the Clop gang now e-mails its victims' to warn them that the data is stolen and will be leaked if a ransom is not paid.

Data From These Two Universities Stolen and Published Online by Clop Ransomware Group

 

The Clop ransomware group has officially published online the grades and social security numbers for students at the University of Colorado and the University of Miami. 

From December, threat agents related to the Clop Ransomware Group had started to attack Accellion FTA servers and steal the data stored on their servers. These servers are used by companies to exchange confidential files and information with non-organizational people. The ransomware gang approached the companies and asked for $10 million in bitcoins and if the demand is not fulfilled then they would publish the stolen information on the internet. 

Since February, the team of Clop Ransomware has started to publish the compromised files that were stolen due to the flaws in the Accellion FTA file-sharing servers. Later this week the Clop Ransomware Gang began posting screenshots of compromised files from the Accellion FTA server that is used by Miami University and Colorado University. In February, Colorado University (CU) revealed a cyberattack that mentioned that the threat actors had stolen data through a vulnerability of Accellion FTA. 

The actors behind the Clop ransomware have started to post compromised data screenshots, including university files, university grades, academic records, registration details, and biographical information of students. 

While the University of Miami did not report any data breach, it used a protected 'SecureSend' file sharing program that had since been shut down. "Please be advised that the secure email application SecureSend (secure.send.miami.edu) is currently unavailable, and data shared using SecureSend is not accessible," reads the University's SecureSend page. 

Although the University of Miami never confirmed a security incident, still screenshots of patient information were released by the Clop ransomware operation. This information covers medical history, demographic analyses, and telephone numbers and email addresses. The data supposedly robbed from the University of Miami belongs to the patients of the health system of the University. 

"While we believe based on our investigation to date that the incident is limited to the Accellion server used for secure file transfers, we continue to enhance our cybersecurity program to further safeguard our systems from cyber threats. We continue to serve our University community consistent with our commitment to education, research, innovation, and service," the University of Miami wrote. 

The ransomware gang has only published few screenshots at this time but is likely to release more documents to force victims to pay in the future.