A total of 91 new victims were added to the Clop (aka Cl0p) ransomware leak site during March 2023, more than 65% of the total number of victims published between August 2020 and February 2023, as the threat group behind the ransomware, tracked by the Secureworks Counter Threat Unit (CTU) as Gold Tahoe embarked on a wide-ranging campaign of attacks.
The current surge in Clop activity is almost entirely down to the group’s successful exploitation of a zero-day vulnerability in the Fortra GoAnywhere managed file transfer (MFT) tool. Previous reports have claimed that the group has accessed and stolen data from 130 organisations via this method, which suggests that more are likely to be published. Currently known victims include energy sector giant Hitachi Energy, pharma giant Proctor & Gamble, security and storage firm Rubrik, and American department store Saks Fifth Avenue.
Many of the victims of the Fortra event are very high-profile organisations with revenues running into the billions, so despite ransom details being private, the CTU estimated that in many cases demands will run into the tens of millions.
However, Secureworks noted, the ransom demands may also be influenced by the perceived value of the data – in the Saks Fifth Avenue attack, for example, the supposed customer data the gang stole turned out to be mock customer data used to test internal systems, making it less likely the organisation will pay up.
Secureworks CTU intelligence director Mike McLellan said that unfortunately, wide-ranging supply chain attacks such as the Fortra incident are falling into a depressingly familiar pattern. “For an attacker, finding a vulnerability in popular third-party software can be like hitting the jackpot. Software often has privileged status to run on networks, it’s trusted. When that software is compromised, that system of trust is turned against customers.,” he said.
“While different to the 3CX or Solarwinds [Sunburst] supply chain compromises, where attackers were able to compromise the software build process, the kind of indiscriminate exploitation activity that we’ve seen here can be just as damaging for individual organisations, if sensitive data is put at risk,” added McLellan.
Secureworks said that Gold Tahoe’s attacks had focused merely on data theft and extortion, and not encryption, which one would traditionally associate with a ransomware attack. Indeed, unlike previous Clop campaigns there is currently no evidence that any of the known Fortra incident victims have had their systems encrypted.
There is also something of a lack of clarity in regard to the value of the data that was stolen, with Gold Tahoe stating it only stole information stored on compromised GoAnywhere servers and claiming that it had the ability to move laterally and deploy ransomware, raising the question, why has it not done so?
McLellan said that Gold Tahoe may have decided not to actually deploy the Clop locker because it was trying to target as many victims as possible before Forta addressed the issue. Had it spent time identifying each victims’ ‘crown jewels’ it is possible it may have lost access to the wider victim base.
Who is Gold Tahoe?
Gold Tahoe is a longstanding, financially-motivated cyber criminal group that has been active in some form for over a decade. It has been known by many other names, perhaps most popularly Evil Corp – which it likely adopted itself in reference to the TV show Mr Robot – while threat researchers at Proofpoint know it as TA505, and other security organisations will have different designations.
The Russia-based operation was formerly an enthusiastic operator of the Dridex banking trojan and its predecessor Zeus, and many other malwares, and was one of the first groups to ramp up targeting of healthcare and pharmaceutical organisations at the onset of the Covid-19 pandemic.
Already notable in security circles having stolen over $100m in the course of its activity, the gang gained widespread public notoriety in 2019 when multiple members, including alleged leader Maksim Yakubets, and deputy Igor Turashev, were sanctioned by the US authorities.
Yakubets was notable for his lavish lifestyle, splurging the profits of the gang’s cyber attacks on an elaborate wedding, and a customised Lamborghini with vanity plates that spelled out the Russian word for thief. The deterioration of relations with Russia means that neither have ever faced justice.
However, it may not be the only actor involved in the current Clop campaign, claimed the Secureworks team. In one incident to which it responded last month, it found Clop being used by another actor, likely one it tracks as Gold Niagara (aka Carbon Spider or FIN7).
Gold Niagara historically targeted restaurants, retailers and hospitality organisations in order to access and steal money from their point-of-sale systems. However, there is some evidence that it pivoted to ransomware in 2021, with elements of the gang thought to be associated with the DarkSide operation.