The week was dominated by fallout over the MOVEit Transfer data-theft attacks, with the Clop ransomware gang confirming that they were behind them.
On Monday, Microsoft was the first to attribute the attacks to the Clop ransomware operation, followed by the threat actors telling BleepingComputer that they started exploiting servers on May 27th.
After analyzing historic telemetry, Kroll security experts also found that the Clop gang likely tested the MOVEit Transfer zero-day since 2021 in limited attacks.
As expected, we are just starting to see the fallout from the attacks, with victims coming forward with announcements and data breach notifications.
The companies that have disclosed MOVEit Transfer breaches so far are listed below:
In other news, the Royal Ransomware gang has begun to test a new BlackSuit encryptor in limited attacks. As this is a self-contained ransomware operation with its own encryptor, Tor negotiation site, and data leak site, it’s unclear how they plan on using BlackSuit in the future.
Other research released this week is on the new ransomware variants called Cyclops and Xollam.
There was an interesting development regarding Rhysida’s ransomware attack on the Chilean army, with an Army corporal arrested for alleged involvement.
We also saw an attack on Japanese pharmaceutical company Eisai and Australia’s largest commercial law firm, HWL Ebsworth, refusing to give into ALPHV’s extortion demands.
Finally, we would be remiss for not sharing the excellent map of ransomware operations created by CERT Orange Cyberdefense threat intelligence researcher Marine Pichon.
Contributors and those who provided new ransomware information and stories this week include: @serghei, @LawrenceAbrams, @malwrhunterteam, @BleepinComputer, @demonslay335, @DanielGallagher, @fwosar, @billtoulas, @KrollWire, @Mar_Pich, @RedSenseIntel, @CISAgov, @FBI, @MsftSecIntel, @pcrisk, @TrendMicro, @PogoWasRight, @catabatarce, @GossiTheDog, @BrettCallow, and @uptycs.
June 4th 2023
CISA has added an actively exploited security bug in the Progress MOVEit Transfer managed file transfer (MFT) solution to its list of known exploited vulnerabilities, ordering U.S. federal agencies to patch their systems by June 23.
DataBreaches did not review all of the files leaked by the Rhysida ransomware group, but as the screencap of just a small portion of the file listing suggests, they do appear to be government-related files. Unlike other groups that often provide a brief summary of what kinds of files they are leaking, Rhysida offers no information on the size of the data leak or its contents.
June 5th 2023
Microsoft has linked the Clop ransomware gang to recent attacks exploiting a zero-day vulnerability in the MOVEit Transfer platform to steal data from organizations.
The Clop ransomware gang has told BleepingComputer they are behind the MOVEit Transfer data-theft attacks, where a zero-day vulnerability was exploited to breach servers belonging to “hundreds of companies” and steal data.
Editors note: This is related to the Rhysida ransomware attack on Chilean military.
According to sources in the case, a series of electronic devices were seized from the soldier, which are now being examined by detectives. He was prosecuted for the crime of infringing the computer crime law, and after that he was in preventive detention.
The Cyclops group is particularly proud of having created ransomware capable of infecting all three major platforms: Windows, Linux, and macOS. In an unprecedented move, it has also shared a separate binary specifically geared to steal sensitive data, such as an infected computer name and a number of processes. The latter targets specific files in both Windows and Linux.
PCrisk found new Dharma ransomware variants that append the .NBR and .thx extensions.
PCrisk found new STOP ransomware variants that append the .nerz, .neon, and .neqp extensions.
June 6th 2023
After first being detected in June 2021, the TargetCompany ransomware family underwent several name changes that signified major updates in the ransomware family, such as modifications in encryption algorithm and different decryptor characteristics.
June 7th 2023
According to open source information, beginning on May 27, 2023, CL0P Ransomware Gang, also known as TA505, began exploiting a previously unknown SQL injection vulnerability (CVE-2023-34362) in Progress Software’s managed file transfer (MFT) solution known as MOVEit Transfer.
June 8th 2023
The Royal ransomware gang has begun testing a new encryptor called BlackSuit that shares many similarities with the operation’s usual encryptor.
The Clop ransomware gang has been looking for ways to exploit a now-patched zero-day in the MOVEit Transfer managed file transfer (MFT) solution since 2021, according to Kroll security experts.
Marine Pichon put together an amazing, and likely painstaking, map illustrating the ransomware operations and the groups they are affiliated with. Well worth taking a look.
Pharmaceutical company Eisai has disclosed it suffered a ransomware incident that impacted its operations, admitting that attackers encrypted some of its servers.
PCrisk found a new Dharma ransomware variant that appends the .mono extension.
June 9th 2023
Australian law firm HWL Ebsworth confirmed to local media outlets that its network was hacked after the ALPHV ransomware gang began leaking data they claim was stolen from the company.
The University of Manchester warns staff and students that they suffered a cyberattack where threat actors likely stole data from the University’s network.
Source: https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-9th-2023-its-clop-again/