[BreachExchange] A week after arrests, Cl0p ransomware group dumps new tranche of stolen data

Wed Jun 23 12:10:42 EDT 2021

https://arstechnica.com/gadgets/2021/06/a-week-after-arrests-cl0p-ransomware-group-dumps-new-tranche-of-stolen-data/

A week after Ukrainian police arrested criminals affiliated with the
notorious Cl0p ransomware gang, Cl0p has published a fresh batch of what’s
purported to be confidential data stolen in a hack of a previously unknown
victim. Ars won’t be identifying the possibly victimized company until
there is confirmation that the data and the hack are genuine.

If genuine, the dump shows that Cl0p remains intact and able to carry out
its nefarious actions despite the arrests. That suggests that the suspects
don’t include the core leaders but rather affiliates or others who play a
lesser role in the operations.
The data purports to be employee records, including verification of
employment for loan applications and documents pertaining to workers whose
wages have been garnished. I was unable to confirm that the information is
genuine and that it was, in fact, taken during a hack on the company,
although web searches showed that names listed in the documents matched
names of people who work for the company.

Company representatives didn’t respond to a phone call seeking comment.
Cl0p members didn’t respond to emails sent to addresses listed on the
group’s site on the dark web.

An existential threat

For almost a decade, ransomware has grown from a costly inconvenience into
an existential threat that can shut down hospitals and disrupt gasoline and
meat supplies. Under pressure from the Biden administration, the US Justice
Department is prioritizing federal ransomware cases. Biden also raised
concerns with Russian President Vladimir Putin about the proliferation of
ransomware attacks from Russian-speaking groups, such as Cl0p.

Last week’s apprehension by Ukrainian police of six people affiliated with
Cl0p was seen as a coup in some circles because it marked the first time a
national law enforcement group has carried out mass arrests involving a
ransomware group. But as Wired reporter Lily Hay Newman observed, the
crackdown is unlikely to ease the ransomware epidemic until Russia itself
follows suit.

The new leak confirms the limits of current ransomware response. Much of
the flimsiness stems from the decentralization of the ransomware economy,
which rests on two crucial but independent entities. The first is the group
that maintains the ransomware itself and often some of the Internet
infrastructure it runs on.

The second entity is the team of hackers that leases the ransomware and
shares any revenue generated with the ransomware maintainers. Often, one
group has little or no knowledge of the other, so the shutdown of one has
no effect on the other.

The fight continues

Compounding the difficulty law enforcement faces, many of the groups reside
in Russia or other Eastern European countries that have no extradition
treaties with the US.

Cl0p was first spotted in early 2019. Recent targets have included oil
company Shell, international law firm Jones Day, US bank Flagstar, and
several US universities including Stanford and the University of
California. Often, affiliated hackers exploit vulnerabilities in the
Accellion File Transfer Appliance. Cl0p has also been observed operating
broad malicious email campaigns to identify potential corporate victims. In
many cases, the campaigns use data stolen from existing victims to better
trick customers, partners, or vendors into thinking that a malicious email
is benign.

The ability of Cl0p to post leaked documents following last week’s arrests
suggests that the suspects weren’t core members and instead were either
affiliates or, as Intel 471 told security reporter Brian Krebs, “limited to
the cash-out and money laundering side of CLOP’s business only.” And that
means the fight against this group and the Internet scourge it’s a part of
will continue for the foreseeable future.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210623/47a8498a/attachment.html>