Massive Cl0p Ransomware Campaign Likely Driven by Automation


March 29, 2023

World map

Scores of organizations that have not patched a known vulnerability in the GoAnywhere file transfer software have fallen victim to ransomware attack by the threat actor Cl0p in recent weeks.  

Scores more have been added to the group’s leaks website but have yet to report they were attacked yet, so we can expect this mass attack campaign to continue.

“Over the past few days, the Russia-linked Clop gang has added dozens of other organizations to its dark web leak site, which it uses to extort companies further by threatening to publish the stolen files unless a financial ransom demand is paid,” TechCrunch reports.

“Since the attack in late January or early February — the exact date is not known — Clop has disclosed less than half of the 130 organizations it claimed to have compromised via GoAnywhere, a system that can be hosted in the cloud or on an organization’s network that allows companies to securely transfer huge sets of data and other large files.”

Takeaway: The mass exploitation of the GoAnywhere vulnerability in this recent wave of Cl0p ransomware attacks should have companies who are using the software on high alert. Over the past month, more than one hundred new victims have been added to Clop's data leak site. Cl0p is likely to be leveraging automation to identify exposed organizations who have not patched against known vulnerability, which is why we are seeing so many new victims.

Automation means more victims faster, hence the recent "wave" of attacks. And GoAnywhere is not the only buggy solution out there that can be exploited en masse like this - it's just a really good example of what we can expect as these RaaS operators continue to improve their capabilities.

Also of note is the fact that many organizations that have been added to the Cl0p leaks website have not reported a cyberattack, so it is likely Cl0p has already or are in the process of exfiltrated large amounts of confidential information from these victims as a precursor to the delivery of a ransomware payload.

These attacks typically involve weeks or even months of activity by attackers as they work to infiltrate as much of the target network and exfiltrate as much data as possible before encrypting systems. Organizations must have the ability to disrupt attacks at initial ingress, when attackers move laterally, command and control is established, data exfiltration begins - not just when the attackers attempt to execute malicious binaries. They also need to assure that in the event of a successful ransomware attack, the organization is resilient and confident in their ability to minimize the duration, spread and overall impact of the attack and get back to normal as quickly as possible.

These are multi-stage attacks, and that means we have multiple opportunities to detect and stop them. Organizations require both a robust prevention and an agile resilience strategy to defend against this wave of ransomware attacks. This approach includes endpoint protection solutions, patch management, data backups, access controls, employee awareness training, and organizational procedure and resilience testing into all ransomware readiness plans to be successful. is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.