The number of ransomware attacks in July rose over 150% compared to last year and the actors behind the Clop ransomware were responsible for over a third of them. The gang took the lead from LockBit as the top ransomware threat after exploiting a zero-day vulnerability in a managed file transfer (MFT) application called MOVEit in June. While the MOVEit attacks were used for data theft and subsequent extortion, they were not used to deploy the actual Clop ransomware program, even though the actors behind the attacks are associated with this ransomware program and took credit for the campaign.
“This campaign is particularly significant given that Clop has been able to extort hundreds of organizations by compromising one environment,” Matt Hull, global head of threat intelligence at NCC Group, said in a report. “Not only do you need to be vigilant in protecting your own environment, but you must also pay close attention to the security protocols of the organizations you work with as part of your supply chain.”
Clop takes the ransomware lead
NCC Group has recorded 502 ransomware-related attacks in July, a 16% increase from the 434 seen in June, but a 154% rise from the 198 attacks seen in July 2022. The Clop gang was responsible for 171 (34%) of the 502 attacks while LockBit came in second with 50 attacks (10%).
LockBit has dominated the ransomware space since the middle of last year after the notorious Conti gang disbanded and the LockBit authors revamped their affiliate program to fill the void and attract former Conti partners. Ransomware-as-a-service (RaaS) operations such as LockBit rely on collaborators called affiliates to break into enterprise networks and deploy the ransomware program in exchange for a hefty percentage of the ransoms.
Clop is also a RaaS operation that has existed since 2019 and before that it acted as an initial access broker (IAB) selling access to compromised corporate networks to other groups. It also operated a large botnet specialized in financial fraud and phishing. According to a CISA advisory, the Clop gang and its affiliates compromised over 3,000 organizations in the US and over 8,000 globally to date.
The Clop actors are known for their ability to develop zero-day exploits for popular enterprise software, especially MFT applications. The group exploited Accellion File Transfer Appliance (FTA) devices in 2020 and 2021, Fortra/Linoma GoAnywhere MFT servers in early 2023, and MOVEit transfer deployments in June — an attack campaign that’s believed to have affected up to 500 organizations.