Cl0p ransom spree: Shell, Bombardier, Stanford U among the alleged victims


The Cl0p ransomware gang has claimed dozens of new victims in the past 24 hours, including energy giant Shell Global, high-end jet manufacturer Bombardier Aviation, and several universities in the US, including Stanford, Colorado, and Miami.

Cybernews can confirm from viewing the Cl0p official leak site that there are a total of 60 victim organizations listed as part of this latest spree.

Hundreds, if not thousands, of files are being listed as stolen from each organization on the dark web leak site.

ADVERTISEMENT

From banks and technology companies, to law firms, trucking and grocery stores, the victims come from what seems to be a random assortment of industries and locations across the globe.

Cybernews has reached out to at least five of the victims, including Shell Global, Bombardier, and Stanford University.

Bombardier told Cybernews it was aware of the claims and it validated this was not a new data breach but a re-posting of the previously reported 2021 breach. Other alleged victims have yet to respond.

three clop victims
Cl0p ransomware leak site

The Cybernews team was able to view many of the alleged sample files, which were chock-full of sensitive information from university students, individual customers, and what appears to be current or past employees.

Files include such sensitive personally identifiable information such as IRS tax documents, medical records, emails caches, and financial applications.

Even more disturbing is many of the alleged victim files contained sensitive company data, to include purchasing orders, affiliated vendor details, and even mechanical drawings and diagrams, such as the case for Bombardier.

In a ransomware plot twist, it appears many of today's victims were also victims of a 2021 Cl0p ransomware attack, in which the group gained access by hacking a third-party supplier who provided file transfer sharing services to all the organizations targeted in the incident.

ADVERTISEMENT

The US based supplier, Accellion, was exploited by Cl0p through a zero-day vulnerability in its file transfer appliance (FTA).

Accellion had about three hundred clients at the time, one hundred of them were breached in the 2021 attack, including Shell and Stanford University.

The spree also comes just days after cybersecurity firm Rubrik confirmed they had been breached by the infamous gang, shown in a separate cache on the leak site.

That attack was the result of a zero-day remote code execution (RCE) bug on one of Rubrik's third-party vendors, the Fortra GoAnywhere MFT file-sharing platform.

Rubrik is one of at least 130 victims Cl0p claimed to have exploited using the GoAnywhere MFT zero-day vulnerability.

It's not clear how today's victims were breached or if they are part of the recent GoAnywhere victim list claimed by the group.

Although Cl0p has used similar methods in the three attacks mentioned, a January analysis by the US government showed the group tends to favor phishing emails to target its victims.

Cl0p is a known ransomware syndicate with ties to Russia and has been around since 2019.

The bad actors typically target organizations with a revenue of $5 million or higher, according to US officials.

Cl0p is considered one of the most used ransomware-as-a-service (RaaS) groups since hitting the cybercriminal market.

ADVERTISEMENT

Six of the gang members were arrested by Ukrainian authorities in 2021 but bucking expectations, the takedown had little impact on the gang, as Cl0p appears to be a strong as ever.

“We have never attacked hospitals, orphanages, nursing homes, charitable foundations, and we will not,” Cl0p states on its leak site.

The group also states that commercial pharmaceutical organizations will never be included in their eligible victim list, as “they are the only ones who benefit from the current pandemic.”

“If an attack mistakenly occurs on one of the foregoing organizations, we will provide the decryptor for free, apologize and help fix the vulnerabilities,” states Cl0p.

Another signature move of the gang is to rename the stolen files after encryption using the file extension "Cl0p."

The syndicate often gives its victims two weeks to pay the ransom before threatening to delete the encrypted files along with the decryption key.