After russialinked clop fortra

Average ransomware payments significantly went up to US$220,298, which is an increase of 43%. It also said that the median ransom payment increased sharply to US$78,398 from US$49,459, which translates to a 60% hike.Recent Clop activitiesThe Clop ransomware gang also claimed to have targeted 130 organizations who were victims of the Fortra GoAnywhere MFT vulnerability over a month-long period in March 2023. Although Clop ransomware actors did not share specific details on how they exploited the vulnerability, security researcher Florian Hauser published proof-of-concept code on it, while Fortra released an emergency patch shortly after. Meanwhile, in April 2023, Microsoft attributed the exploitation of CVE-2023-27350 to the Clop and LockBit ransomware gangs. CVE-2023-27350 is a vulnerability in the widely used print management software solution PaperCut that was disclosed via Trend Micro's Zero Day Initiative (ZDI),™ as covered in ZDI-23-233. According to Microsoft, the threat actor abused the vulnerability to deploy the Truebot malware and ultimately, the Clop and LockBit ransomware families to steal critical company information.In May of this year, it was reported that FIN7 (aka Sangria Tempest) used the POWERTRASH malware to launch the Lizar toolkit in a series of that started in April 2023. The cybercrime group used the backdoor to take hold of and laterally move within the victim’s network and finally, distribute the Clop ransomware on compromised machines.Since May 2023, the group continuously exploited critical zero-day vulnerabilities in file transfer software MOVEit Transfer and MOVEit Cloud via CVE-2023-24362 and CVE-2023-35036, to compromise a number of private and public organizations from various industries. While the company was able to immediately deploy workarounds, Clop exploited these openings to get into vulnerable systems and networks to exfiltrate sensitive data. Researchers and analysts have noted that no ransomware payloads were observed from these attacks, but that the group were focused more

Hitachi Energy disclosed a data breach, the Clop ransomware gang stole the company data by exploiting the recent GoAnywhere zero-day flaw.Hitachi Energy disclosed a data breach, the company was hacked by the Clop ransomware gang that stole its data by exploiting the recently disclosed zero-day vulnerability in the GoAnywhere MFT (Managed File Transfer).The company was the victim of a large-scale campaign targeting GoAnywhere MFT devices worldwide by exploiting the zero-day vulnerability.“We recently learned that a third-party software provider called FORTRA GoAnywhere MFT (Managed File Transfer) was the victim of an attack by the CLOP ransomware group that could have resulted in an unauthorized access to employee data in some countries.” reads the statement pblished by the company.“Upon learning of this event, we took immediate action and initiated our own investigation, disconnected the third-party system, and engaged forensic IT experts to help us analyze the nature and scope of the attack. Employees who may be affected have been informed and we are providing support. We have also notified applicable data privacy, security and law enforcement authorities and we continue to cooperate with the relevant stakeholders.”Hitachi Energy immediately launched an investigation into the incident and disconnected the compromised system. The company reported the data breach to law enforcement agencies and data protection watchdog. The company pointed out that its network operations or the security of its customer data have not been compromised.In early February, the popular investigator Brian Krebs first revealed details about the zero-day on Mastodon and pointed out that Fortra has yet to share a public advisory.According to the private advisory published by Fortra, the zero-day is a remote code injection issue that impacts GoAnywhere MFT. The vulnerability can only be exploited by attackers with access to the administrative console of the application.Installs with administrative consoles and management interfaces that

Ransomware, Threat ManagementU.S. healthcare providers have been warned by the Department of Health and Human Services Cybersecurity Coordination Center regarding new Clop and LockBit ransomware attacks leveraging a Fortra GoAnywhere Managed File Transfer system flaw, tracked as CVE-2023-0669, and two other vulnerabilities in the PaperCut MF/NG printing management software, tracked as CVE-2023-27350 and CVE-2023-27350, HealthITSecurity reports.Exploitation of the Fortra GoAnywhere vulnerability has been noted to account for a 91% increase in ransomware attacks in March compared with February, with Clop, which has almost always targeted the healthcare sector, admitting to having compromised 129 organizations, according to the HC3 alert.Meanwhile, both PaperCut flaws could be leveraged to enable bypass authentication across over 100 million users around the world.Immediate patching has been urged for all of the actively exploited vulnerabilities, with master encryption key modifications and credential resets advised for the Fortra GoAnywhere bug and traffic blocking recommended to mitigate the PaperCut flaws."The probability of cyber threat actors, including Cl0p, targeting the healthcare industry remains high. Prioritizing security by maintaining awareness of the threat landscape, assessing their situation, and providing staff with tools and resources necessary to prevent a cyberattack remains the best way forward for healthcare organizations," said the HC3.Get essential knowledge and practical strategies to protect your organization from ransomware attacks.RelatedGet daily email updatesSC Media's daily must-read of the most current and pressing daily news

The fast-rising Clop ransomware gang is capitalizing on compromising a single environment, underscoring the need to assess security of software supply chains. The number of ransomware attacks in July rose over 150% compared to last year and the actors behind the Clop ransomware were responsible for over a third of them. The gang took the lead from LockBit as the top ransomware threat after exploiting a zero-day vulnerability in a managed file transfer (MFT) application called MOVEit in June. While the MOVEit attacks were used for data theft and subsequent extortion, they were not used to deploy the actual Clop ransomware program, even though the actors behind the attacks are associated with this ransomware program and took credit for the campaign.“This campaign is particularly significant given that Clop has been able to extort hundreds of organizations by compromising one environment,” Matt Hull, global head of threat intelligence at NCC Group, said in a report. “Not only do you need to be vigilant in protecting your own environment, but you must also pay close attention to the security protocols of the organizations you work with as part of your supply chain.”Clop takes the ransomware leadNCC Group has recorded 502 ransomware-related attacks in July, a 16% increase from the 434 seen in June, but a 154% rise from the 198 attacks seen in July 2022. The Clop gang was responsible for 171 (34%) of the 502 attacks while LockBit came in second with 50 attacks (10%). LockBit has dominated the ransomware space since the middle of last year after the notorious Conti gang disbanded and the LockBit authors revamped their affiliate program to fill the void and attract former Conti partners. Ransomware-as-a-service (RaaS) operations such as LockBit rely on collaborators called affiliates to break into enterprise networks and deploy the ransomware program in exchange for a hefty percentage of the ransoms. Clop is also a RaaS operation that has existed since 2019 and before that it acted as an initial access broker (IAB) selling access to compromised corporate networks to other groups. It also operated a large botnet specialized in financial fraud and phishing. According to a CISA advisory, the Clop gang and its affiliates compromised over 3,000 organizations in the US and over 8,000 globally to date.The Clop actors are known for their ability to develop zero-day exploits for popular enterprise software, especially MFT applications. The group exploited Accellion File Transfer Appliance (FTA) devices in 2020 and 2021, Fortra/Linoma GoAnywhere MFT servers in early 2023, and MOVEit transfer deployments in June — an attack campaign that’s believed to have affected up to 500 organizations. “It has been noted by some in the industry that the attack and its wide-scale impact marks