Cl0p Ransomware Gang Continues Exploiting GoAnywhere Vulnerability

Date:

March 27, 2023

World map

The Cl0p ransomware gang continues its campaign of extorting companies exploiting a known GoAnywhere vulnerability, having added nearly 200 new victims to their leaks website in the past few weeks.

“Over the past month, one hundred new companies have been added to Clop's data leak site, with the extortion gang threatening to leak data if a ransom is not paid,” reports Bleeping Computer.

“While it is not confirmed if all of these companies were breached using the GoAnywhere zero-day, BleepingComputer has confirmed this week that Saks Fifth Avenue, the City of Toronto, Procter & Gamble, Virgin Red, and the UK Pension Protection Fund are related to the vulnerability.”

Takeaway: The mass exploitation of the GoAnywhere vulnerability in this recent wave of Cl0p ransomware attacks should have companies who are using the software on high alert. Over the past month, more than one hundred new victims have been added to Clop's data leak site, including the likes of Saks Fifth Avenue and Virgin Group, to name just a few.

Cl0p is likely to be leveraging automation to identify exposed organizations who have not patched against known vulnerability, which is why we are seeing so many new victims. Many organizations have been added to the Cl0p leaks website who have not reported a cyberattack, so it is likely Cl0p has already exfiltrated large amounts of confidential information from these victims, or they are in the process of exfiltrating data as a precursor to the delivery of a ransomware payload.

These attacks typically involve weeks or even months of activity by attackers as they work to infiltrate as much of the target network and exfiltrate as much data as possible before encrypting systems. Organizations must have the ability to disrupt attacks at initial ingress, when attackers move laterally, command and control is established, data exfiltration begins - not just when the attackers attempt to execute malicious binaries. They also need to assure that in the event of a successful ransomware attack, the organization is resilient and confident in their ability to minimize the duration, spread and overall impact of the attack and get back to normal as quickly as possible.

These are multi-stage attacks, and that means we have multiple opportunities to detect and stop them. Organizations require both a robust prevention and an agile resilience strategy to defend against this wave of ransomware attacks. This approach includes endpoint protection solutions, patch management, data backups, access controls, employee awareness training, and organizational procedure and resilience testing into all ransomware readiness plans to be successful.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.