Secureworks®
Counter
Threat
Unit™
(CTU)
researchers
are
investigating
an
increase
in
the
number
of
victims
posted
on
the
Clop
ransomware
leak
site.
Clop
ransomware
was
first
identified
in
February
2019
and
is
attributed
to
the
financially
motivated
GOLD
TAHOE
threat
group
(also
known
as
TA505),
which
has
been
active
since
at
least
2015.
A
March
2023
Secureworks
incident
response
engagement
revealed
another
group,
likely
GOLD
NIAGARA,
deploying
this
ransomware.
The
Clop
leak
site
listed
91
victims
in
March
2023,
which
is
more
than
65
percent
of
the
total
number
of
victims
published
between
August
2020
and
February
2023
(see
Figure
1).
This
sudden
increase
in
victims
is
likely
associated
with
February
2023
claims
that
the
threat
group
exploited
a
zero-day
vulnerability
(CVE-2023-0669)
in
the
Fortra
GoAnywhere
MFT
secure
file
transfer
tool
to
access
and
steal
data
from
130
organizations.
If
the
claim
is
true,
additional
victims
will
likely
be
published
to
the
leak
site.
This
surge
in
activity
focused
on
data
theft
and
extortion.
Unlike
previous
Clop
campaigns
that
encrypted
compromised
networks
after
data
exfiltration
using
a
randomly
generated
AES
key,
there
is
no
evidence
as
of
this
publication
that
these
victims’
systems
were
encrypted.
Figure
1.
The
number
of
victims
listed
on
the
Clop
leak
site
between
August
2020
and
March
2023,
with
significant
events
indicated.
(Source:
Secureworks)
Many
of
the
alleged
victims
of
the
GoAnywhere
attack
are
high-profile
multi-billion-dollar
organizations.
Fortra
GoAnywhere
MFT
is
used
in
over
3,000
organizations,
predominantly
ones
with
over
10,000
employees
and
revenues
of
more
than
$1
billion
USD.
Threat
groups
often
use
an
organization’s
revenue
to
calculate
the
ransom
demand.
Despite
ransom
details
being
private,
they
are
estimated
in
the
tens
of
millions
of
dollars
for
many
of
the
affected
companies.
However,
the
ransom
amount
may
be
influenced
by
the
perceived
value
of
the
data.
One
victim
publicly
stated
that
“the
files
in
question
pose
no
risk
to
customers
or
employees
as
they
contain
no
personal
data,”
making
it
less
likely
that
the
organization
would
pay
a
large
ransom.
This
is
the
second
time
that
GOLD
TAHOE
exploited
vulnerabilities
in
a
file
transfer
tool
to
target
multiple
victims.
The
first
exploit
in
2021
leveraged
a
flaw
in
the
legacy
Accellion
File
Transfer
Appliance
(FTA)
software,
which
at
the
time
was
used
by
approximately
300
customers.
Accellion
claimed
that
less
than
100
of
its
customers
were
compromised
and
that
fewer
than
25
suffered
significant
data
theft.
Although
Clop
was
not
deployed
in
all
of
these
breaches,
the
threat
actors
exfiltrated
data
and
posted
victims
to
their
leak
site.
As
a
result,
March
2021
held
the
record
for
the
most
victims
published
to
the
site
until
March
2023.
The
GoAnywhere
exploit’s
opportunistic
nature
means
that
there
is
a
lack
of
clarity
regarding
the
value
of
the
stolen
data.
The
threat
actors
stated
that
they
only
exfiltrated
data
stored
on
compromised
GoAnywhere
MFT
servers.
However,
they
claimed
to
have
the
ability
to
move
laterally
through
compromised
networks
and
deploy
ransomware.
They
may
have
decided
not
to
deploy
ransomware
so
they
could
target
as
many
organizations
as
possible,
rather
than
taking
time
to
identify
valuable
information
on
individual
networks
and
risk
losing
access
to
the
wider
victim
base.
There
is
insufficient
evidence
to
confirm
if
the
threat
actors
had
the
potential
for
lateral
movement.
In
a
widespread
attack
involving
a
large
number
of
victims,
it
is
inevitable
that
some
organizations
would
be
more
impacted
than
others.
Some
compromises
only
impacted
victims’
testing
environments.
Other
breaches
involved
theft
of
sensitive
customer
data.
The
March
2023
activity
shows
that
the
Clop
operators
have
recovered
from
law
enforcement
action
in
November
2021.
Ukrainian
authorities
arrested
six
individuals
as
part
of
Interpol’s
Operation
Cyclone
for
their
role
in
attacks
against
Korean
companies
and
U.S.
academic
institutions.
CTU™
researchers
advise
organizations
using
GoAnywhere
MFT
to
review
the
Fortra
advisory
and
upgrade
as
appropriate.
Fortra
published
mitigations
for
customers
who
cannot
upgrade.
Learn
more
about
the
ransomware
threat:
If
you
need
urgent
assistance
with
an
incident,
contact
the
Secureworks
Incident
Response
team.