Cl0p attacks Shen Milsom & Wilke

The Cl0p ransomware gang has attacked Shen Milsom & Wilke. Shen Milsom & Wilke (SM&W) is a global consulting firm that specializes in providing audiovisual, information technology, security, acoustics, and telecommunications engineering services. The firm is known for its expertise in designing and implementing technology solutions for a wide range of projects across various industries. Cl0p posted Shen Milsom & Wilke to its data leak site on September 25th, claiming to have stolen “agreements, PII documents, confidential documents, etc.” Cl0p is a RaaS platform first observed in 2019. Cl0p has advanced anti-analysis capabilities and anti-virtual machine analysis to prevent investigations in an emulated environment like those commonly used by security tools. Cl0p is increasingly using automation to exploit known vulnerabilities to infiltrate targets, as well as a SQL injection zero-day vulnerability (CVE-2023-34362) that installs a web shell – a rarity amongst ransomware operators. Attacks by Cl0p surged in Q1 of 2023 as the gang leveraged patchable exploits for the GoAnywhere file transfer software to compromise more than 100 victims in a matter of weeks, although it is unknown how well they were able to monetize the attacks. Cl0p is likely to be leveraging automation to identify exposed organizations who have not patched against known vulnerability, which is why we are seeing so many new victims. Ransom demands vary depending on the target and average around $3 million dollars but have been reported as to be as high as $20 million. Ransom amounts are likely to continue to grow as Cl0p focuses more on the exfiltration of sensitive data. Cl0p is one of just a handful of RaaS providers that have developed a Linux version, an indication that Cl0p is likely actively recruiting new talent to help improve their platform and expand the scope of what and whom they can attack. Cl0p’s Windows version was written in C++ and encrypts files with RC4 and the encryption keys with RSA 1024-bit. Cl0p had previously almost exclusively hit targets in the healthcare sector but has significantly expanded targeting to include most any organization with vulnerable GoAnywhere installations. Cl0p runs an expansive affiliate program and exfiltrates data to be leveraged in triple extortion schemes and has significantly expanded its primary target range beyond the healthcare sector. There are indications that Cl0p may be shifting to more of a pure data extortion model, but most victims still suffer the ransomware payload at this point.