clop attacks Virgin Group

Date:

March 23, 2023

World map

Overview

Title

clop attacks Virgin Group

Victim

Virgin Group

Attacker

Cl0p

Location

London, United Kingdom

London,

Size of Attack

Unknown/TBD

First Reported

March 23, 2023

Last Updated

October 31, 2022

The Cl0p gang claims to have breached more than150 organizations, having added about 30 more victims in one day – including international conglomerate Virgin Group, Toronto Municipality, Mexican airline Volaris, US TV network Gray Television, and more.  

“At the time of writing, the gang’s leak site had no information about what type of data was taken and when. Cybernews has reached out to Virgin Group for comment, but we did not immediately receive a response,” Cybernews reports.

Cl0p is leveraging a vulnerability in the popular file sharing application GoAnywhere to carry out this massive attack campaign. The tool’s producer Fortra had released a patch for the bug back on February 7, but the intrusions may have already occurred, and likely have already exfiltrated sensitive data from the targets, but many organizations are still exposed.

Takeaway: The Cl0p ransomware gang has reportedly added 30 more organizations to its leaks website in the last 24 hours - including transportation giant Virgin Group. These organizations are likely victims of Cl0p's mass exploitation of the GoAnywhere vulnerability, bringing the total number of known Cl0p targets in this campaign closer to 200, and there are likely more.

This wave of Cl0p attacks is immensely concerning for several reasons, the first being around how surprisingly successful they have been in exploiting a known vulnerability for which there is a patch already available. Patching systems can be a complex process for some organizations. In order to avoid breaking critical business systems, patches often need to be applied in dev environments and tested prior to being put into production environments. Even then, some issues prevent patching due to legacy systems/software or internal (home-brewed) scripts/applications that will break if the patch is applied haphazardly. Thus, there can be months or more of work to do before some vulnerabilities can be mitigated, leaving the organization exposed.

Another concern is that this spate of attacks is likely evidence that ransomware operators like Cl0p are leveraging automation to identify exposed organizations who may not have had the time or resources to patch against known vulnerabilities. If Cl0p is claiming they have compromised more than 150 organizations so far in this campaign, it is likely they have already successfully exfiltrated large amounts of confidential information from the victims. Just as important is the fact that there could be dozens of other targets who are at this very moment experiencing data loss as a precursor to the delivery of a ransomware payload, and they don't even realize they are in the midst of a major attack.

Mulli-stage ransomware attacks have a long tail, as they typically involve weeks or even months of effort by attackers to infiltrate as much of the target network and exfiltrate as much data as possible before encrypting systems so they can demand higher ransom payouts. There are basically two things organizations need to do to prepare for ransomware attacks: first ensure the organization is prepared to detect and prevent the attack at multiple points in the attack sequence: at initial ingress, at lateral movement, when they establish C2, at data exfiltration and so on. The second is to assure that in the event of a successful ransomware attack, the organization is resilient. The goal is always to minimize the duration, spread and overall impact of the attack and get back to normal as quickly as possible. Both strategies need to be in play simultaneously.

These ransomware campaigns are multi-stage attacks, so we have multiple opportunities to detect and stop them. Organizations need both a robust prevention strategy as well as an agile resilience strategy. This approach includes deploying endpoint protection solutions, good patch management, offsite data backups, good access controls, employee awareness training, and regular procedure and resilience testing for a ransomware readiness plans to be successful.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.

The Cl0p ransomware gang has reportedly added 30 more organizations to its leaks website in the last 24 hours including transportation giant Virgin Group...

Oh no!

This attack's description was not found, while we work on the detailed account of this attack we invite you to browse through other recent Rasomware Attacks in the table below.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.

LockBit attacks Leos Jeans
Date
November 15, 2023
Ransomware group
LockBit
Location

Butzbach, Germany

Butzbach, Germany

Industry
Retail Trade
Victim
Leos Jeans
LockBit attacks Leos Jeans
Date
November 15, 2023
Ransomware group
LockBit
Location

Butzbach, Germany

Butzbach, Germany

Industry
Retail Trade
Victim
Leos Jeans
BlackCat/ALPHV attacks 4set
Date
November 14, 2023
Ransomware group
ALPHV
Location

Bizkaia, Spain

Basco, Spain

Industry
Professional, Scientific & Technical Services
Victim
4set
BlackCat/ALPHV attacks 4set
Date
November 14, 2023
Ransomware group
ALPHV
Location

Bizkaia, Spain

Basco, Spain

Industry
Professional, Scientific & Technical Services
Victim
4set
Cuba attacks DiagnosTechs
Date
November 14, 2023
Ransomware group
Cuba
Location

Federal Way, USA

Washington, USA

Industry
Professional, Scientific & Technical Services
Victim
DiagnosTechs
Cuba attacks DiagnosTechs
Date
November 14, 2023
Ransomware group
Cuba
Location

Federal Way, USA

Washington, USA

Industry
Professional, Scientific & Technical Services
Victim
DiagnosTechs
NoEscape attacks Carespring Health Care Management
Date
November 14, 2023
Ransomware group
NoEscape
Location

Cincinnati, USA

Ohio, USA

Industry
Healthcare
Victim
Carespring Health Care Management
NoEscape attacks Carespring Health Care Management
Date
November 14, 2023
Ransomware group
NoEscape
Location

Cincinnati, USA

Ohio, USA

Industry
Healthcare
Victim
Carespring Health Care Management
BlackCat/ALPHV attacks Execuzen
Date
November 14, 2023
Ransomware group
ALPHV
Location

London, United Kingdom

London, United Kingdom

Industry
Professional, Scientific & Technical Services
Victim
Execuzen
BlackCat/ALPHV attacks Execuzen
Date
November 14, 2023
Ransomware group
ALPHV
Location

London, United Kingdom

London, United Kingdom

Industry
Professional, Scientific & Technical Services
Victim
Execuzen
LockBit attacks University of the Aegean
Date
November 13, 2023
Ransomware group
LockBit
Location

Mytilene, Greece

Mytilene, Greece

Industry
Education
Victim
University of the Aegean
LockBit attacks University of the Aegean
Date
November 13, 2023
Ransomware group
LockBit
Location

Mytilene, Greece

Mytilene, Greece

Industry
Education
Victim
University of the Aegean
LockBit attacks Hotel Ampere Paris
Date
November 12, 2023
Ransomware group
LockBit
Location

Paris, France

Paris, France

Industry
Accommodations & Food Services
Victim
Hotel Ampere Paris
LockBit attacks Hotel Ampere Paris
Date
November 12, 2023
Ransomware group
LockBit
Location

Paris, France

Paris, France

Industry
Accommodations & Food Services
Victim
Hotel Ampere Paris
LockBit attacks Carson Team
Date
November 12, 2023
Ransomware group
LockBit
Location

Portland, USA

Oregon, USA

Industry
Other
Victim
Carson Team
LockBit attacks Carson Team
Date
November 12, 2023
Ransomware group
LockBit
Location

Portland, USA

Oregon, USA

Industry
Other
Victim
Carson Team
Cuba attacks Port Adelaide FC
Date
November 12, 2023
Ransomware group
Cuba
Location

Alberton, Australia

South Australia, Australia

Industry
Arts, Entertainment & Recreation
Victim
Port Adelaide FC
Cuba attacks Port Adelaide FC
Date
November 12, 2023
Ransomware group
Cuba
Location

Alberton, Australia

South Australia, Australia

Industry
Arts, Entertainment & Recreation
Victim
Port Adelaide FC
LockBit attacks Floortex
Date
November 11, 2023
Ransomware group
LockBit
Location

Tewkesbury, United Kingdom

Gloucestershire, United Kingdom

Industry
Manufacturing
Victim
FloorTex
LockBit attacks Floortex
Date
November 11, 2023
Ransomware group
LockBit
Location

Tewkesbury, United Kingdom

Gloucestershire, United Kingdom

Industry
Manufacturing
Victim
FloorTex