In May, a leading business application vendor experienced a significant cyber attack on its managed file transfer (MFT) software, MOVEit. The attack was orchestrated by the Russian ransomware group, CL0P. According to the victimized company, the security gap in the software had the potential to grant unauthorized access and privileges to unauthorized users. This supply chain attack had a ripple effect, impacting downstream customers, including companies in the payroll services and identity theft sectors, as well as various government agencies. Such supply chain attacks have become more prevalent as threat actors seek to extract greater value from personal data, especially when studies show that 80% of companies affected by ransomware end up paying the ransom.
CL0P is known as a “ransomware-as-a-service” provider, helping other threat actors create and deploy their own ransomware campaigns. Their main goal is financial gain, and in the case of MOVEit, CL0P demanded an undisclosed amount of money to prevent the distribution of the victim organization’s private data. Like any business, CL0P has expanded its offerings to include additional capabilities such as access to a dedicated botnet and compromised networks, which enable them to target and exploit more victims.
Every action carried out by threat actors like CL0P is deliberate and calculated. They publicize and threaten to disclose sensitive information to create urgency and pressure the affected company into taking quick action to prevent further embarrassment or operational impact. These ransomware groups operate like businesses, and their success lies in their ability to exploit vulnerabilities and profit from cybercrime.
Protecting a supply chain from determined threat actors armed with various cyber weapons, including ransomware, is a challenging task. These threat actors actively target and exploit vulnerabilities, as they know that data is their ultimate payday. To effectively defend against these attacks, companies need to understand how cybercriminal enterprises operate. By seeking, understanding, and documenting potential bottlenecks in adversarial supply chains, companies can identify the areas where they can gain the most significant impact in terms of security. This may involve analyzing the tactics used in typical ransomware attacks, understanding how infected devices communicate with threat actors, and discovering how these actors monetize their efforts. Threat intelligence, incident response, network-based threat detection, and response technologies can all play a role in disrupting these supply chains, similar to the principles of jiu-jitsu.
Unfortunately, many companies tend to focus only on the primary vulnerability after a ransomware attack, remedying it, and returning to business as usual. However, in cases like MOVEit, new vulnerabilities were still being discovered more than six weeks after the initial attack. Therefore, it is crucial for affected companies to remain proactive as there may be multiple vulnerabilities that need addressing.
While companies should enhance their security measures to protect their supply chains, seeking external help is also a viable option. External defenders can assist in responding to and preventing ransomware attacks while also contributing to the takedown of threat actors. The U.S. Department of Justice recently disrupted the actions of the ransomware-as-a-service group, Hive, which targeted over 1,500 victims. This indicates that these groups are not invincible, and with the right defenses and knowledgeable defenders, their supply chains can be disrupted.
The threat landscape continues to evolve, and ransomware attacks are on the rise. Despite advancements in security measures and the assistance of third-party defenders, the volume of attacks has not diminished significantly. One reason for this could be the current disclosure requirements that make attacks more visible to the public and governments than before. However, mature organizations understand the importance of prompt detection and response to these attacks. Detecting and taking action early in a ransomware attack can prevent it from spreading further and causing more damage. Visibility into network and endpoint activities is crucial for early detection, and organizations should not hesitate to seek help from experts in the field.
In conclusion, the recent ransomware attack on MOVEit highlights the increasing threat of supply chain attacks and the evolving tactics of ransomware-as-a-service providers like CL0P. Mitigating such attacks requires a comprehensive understanding of how threat actors operate, proactive security measures, and the involvement of external defenders. Despite the challenges, organizations can remain optimistic by focusing on detection and timely response, as well as leveraging the expertise of cybersecurity professionals in the ongoing battle against cybercrime.