Cl0p study hints at gang‘s masking tactics


The Cl0p ransomware gang, the cybercrime group behind the MOVEit Transfer attacks, seeds stolen data out of a handful of hosting servers in Russia, researchers say.

Cl0p‘s wave of MOVEit Transfer attacks will likely be among the largest attacks of 2023. So far, over 2,100 organizations and 62 million individuals have been impacted by the zero-day exploit that Cl0p used.

However, researchers at Palo Alto‘s Unit 42 discovered that large-scale attacks present the culprits with unexpected problems. For example, how to anonymously leak stolen data to coax victims into paying?

ADVERTISEMENT

Using a TOR leak site to share terabytes of data is virtually impossible due to slow download speeds. To solve the issue, Cl0p opted to torrent the files. Unit 42 put the method under a microscope to discover where the data was originally seeded from.

“These torrents each require an initial seed for peers to connect to to begin downloading and exchanging the data. This creates a window of opportunity wherein only one peer will have 100% of the file while the rest of the peers are downloading the pieces of it,” reads the report.

To oversimplify, for torrents to work, there has to be an initial seeder who holds all of the data intended for sharing. Researchers used this fact to trace the source from where Cl0p shared data of some of its MOVEit Transfer victims.

One group of seeders was traced back to servers geolocated in Moscow, owned by a Panama-registered virtual private server (VPS) hosting company, FlyServers. Another data cluster was discovered to have been shared via a VPS hosted in Saint Petersburg, Russia.

Interestingly, the data analysis shows that Cl0p consistently plans ahead. The gang prepared the data in parts ten days before the scheduled release and five days before the cybercriminals announced their intentions to leak the data.

“There is a lot of orchestration required to effectively host as much data as they’ve stolen,” the researchers surmised.

MOVEit Transfer attacks

Earlier this year, Cl0p exploited a now-patched zero-day bug in Progress Software’s MOVEit Transfer software, which allowed attackers to access and download the data stored there.

ADVERTISEMENT

The Russia-linked gang Cl0p goes by a few different names. People in the cyber industry know the syndicate as TA505, Lace Tempest, Dungeon Spider, and FIN11. The gang is quite old, having been first observed back in 2019.

Earlier this summer, Cybernews received evidence that one of the Cl0p ransomware strain developers was in the city of Kramatorsk in Eastern Ukraine, on the front line of the Russia-Ukraine war.

Numerous well-known organizations have had their clients exposed in the MOVEit attacks. For example, TD Ameritrade, a US stockbroker, reported that over 60,000 of its clients were exposed, with Cl0p taking the financial account data of some.

Other named victims include American Airlines, TJX off-price department stores, TomTom, Pioneer Electronics, Autozone, Johns Hopkins University and Health System, Warner Bros Discovery, AMC Theatres, Choice Hotels’ Radisson Americas chain, and Crowe accounting advisory firm.