The Week in Ransomware – June 9th 2023 – It’s Clop… Again!
The week was dominated by fallout over the MOVEit Transfer data-theft attacks, with the Clop ransomware gang confirming that they were behind them.
On Monday, Microsoft was the first to attribute the attacks to the Clop ransomware operation, followed by the threat actors telling BleepingComputer that they started exploiting servers on May 27th.
After analyzing historic telemetry, Kroll security experts also found that the Clop gang likely tested the MOVEit Transfer zero-day since 2021 in limited attacks.
As expected, we are just starting to see the fallout from the attacks, with victims coming forward with announcements and data breach notifications.
The companies that have disclosed MOVEit Transfer breaches so far are listed below:
- Zellis – Their breach also impacted eight companies, including BBC, Aer Lingus, Boots, and British Airways.
- University of Rochester
- Government of Nova Scotia
- Extreme Networks
- US state of Illinois
- Minnesota Department of Education (MDE)
In other news, the Royal Ransomware gang has begun to test a new BlackSuit encryptor in limited attacks. As this is a self-contained ransomware operation with its own encryptor, Tor negotiation site, and data leak site, it’s unclear how they plan on using BlackSuit in the future.
Other research released this week is on the new ransomware variants called Cyclops and Xollam.
There was an interesting development regarding Rhysida’s ransomware attack on the Chilean army, with an Army corporal arrested for alleged involvement.
We also saw an attack on Japanese pharmaceutical company Eisai and Australia’s largest commercial law firm, HWL Ebsworth, refusing to give into ALPHV’s extortion demands.
Finally, we would be remiss for not sharing the excellent map of ransomware operations created by CERT Orange Cyberdefense threat intelligence researcher Marine Pichon.
Contributors and those who provided new ransomware information and stories this week include: @serghei, @LawrenceAbrams, @malwrhunterteam, @BleepinComputer, @demonslay335, @DanielGallagher, @fwosar, @billtoulas, @KrollWire, @Mar_Pich, @RedSenseIntel, @CISAgov, @FBI, @MsftSecIntel, @pcrisk, @TrendMicro, @PogoWasRight, @catabatarce, @GossiTheDog, @BrettCallow, and @uptycs.
June 4th 2023
CISA orders govt agencies to patch MOVEit bug used for data theft
CISA has added an actively exploited security bug in the Progress MOVEit Transfer managed file transfer (MFT) solution to its list of known exploited vulnerabilities, ordering U.S. federal agencies to patch their systems by June 23.
Rhysida ransomware group claims attack on Martinique
DataBreaches did not review all of the files leaked by the Rhysida ransomware group, but as the screencap of just a small portion of the file listing suggests, they do appear to be government-related files. Unlike other groups that often provide a brief summary of what kinds of files they are leaking, Rhysida offers no information on the size of the data leak or its contents.
June 5th 2023
Microsoft links Clop ransomware gang to MOVEit data-theft attacks
Microsoft has linked the Clop ransomware gang to recent attacks exploiting a zero-day vulnerability in the MOVEit Transfer platform to steal data from organizations.
Clop ransomware claims responsibility for MOVEit extortion attacks
The Clop ransomware gang has told BleepingComputer they are behind the MOVEit Transfer data-theft attacks, where a zero-day vulnerability was exploited to breach servers belonging to “hundreds of companies” and steal data.
A martial hacker: PDI detains an Army corporal for cyber attack on the internal networks of the military institution
Editors note: This is related to the Rhysida ransomware attack on Chilean military.
According to sources in the case, a series of electronic devices were seized from the soldier, which are now being examined by detectives. He was prosecuted for the crime of infringing the computer crime law, and after that he was in preventive detention.
Cyclops Ransomware and Stealer Combo: Exploring a Dual Threat
The Cyclops group is particularly proud of having created ransomware capable of infecting all three major platforms: Windows, Linux, and macOS. In an unprecedented move, it has also shared a separate binary specifically geared to steal sensitive data, such as an infected computer name and a number of processes. The latter targets specific files in both Windows and Linux.
New Dharma ransomware variants
PCrisk found new Dharma ransomware variants that append the .NBR and .thx extensions.
New STOP ransomware variants
PCrisk found new STOP ransomware variants that append the .nerz, .neon, and .neqp extensions.
June 6th 2023
Xollam, the Latest Face of TargetCompany
After first being detected in June 2021, the TargetCompany ransomware family underwent several name changes that signified major updates in the ransomware family, such as modifications in encryption algorithm and different decryptor characteristics.
June 7th 2023
CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability
According to open source information, beginning on May 27, 2023, CL0P Ransomware Gang, also known as TA505, began exploiting a previously unknown SQL injection vulnerability (CVE-2023-34362) in Progress Software’s managed file transfer (MFT) solution known as MOVEit Transfer.
June 8th 2023
Royal ransomware gang adds BlackSuit encryptor to their arsenal
The Royal ransomware gang has begun testing a new encryptor called BlackSuit that shares many similarities with the operation’s usual encryptor.
Clop ransomware likely testing MOVEit zero-day since 2021
The Clop ransomware gang has been looking for ways to exploit a now-patched zero-day in the MOVEit Transfer managed file transfer (MFT) solution since 2021, according to Kroll security experts.
An amazing map the ransomware ecosystem and its evolution
Marine Pichon put together an amazing, and likely painstaking, map illustrating the ransomware operations and the groups they are affiliated with. Well worth taking a look.
Japanese pharma giant Eisai discloses ransomware attack
Pharmaceutical company Eisai has disclosed it suffered a ransomware incident that impacted its operations, admitting that attackers encrypted some of its servers.
New Dharma variant
PCrisk found a new Dharma ransomware variant that appends the .mono extension.
June 9th 2023
BlackCat ransomware fails to extort Australian commercial law giant
Australian law firm HWL Ebsworth confirmed to local media outlets that its network was hacked after the ALPHV ransomware gang began leaking data they claim was stolen from the company.
University of Manchester says hackers ‘likely’ stole data in cyberattack
The University of Manchester warns staff and students that they suffered a cyberattack where threat actors likely stole data from the University’s network.
That’s it for this week! Hope everyone has a nice weekend!
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.