The number of ransomware attacks in July has seen a significant increase of over 150% compared to the same period last year. Notably, the Clop ransomware group was responsible for more than a third of these attacks, surpassing LockBit as the top ransomware threat. This shift in dominance occurred after Clop successfully exploited a zero-day vulnerability in a managed file transfer (MFT) application called MOVEit back in June. It is important to note that while the MOVEit attacks were primarily utilized for data theft and subsequent extortion, the actual deployment of the Clop ransomware program did not occur. However, the actors behind the attacks are closely associated with the Clop ransomware program and have taken credit for the campaign.
The significance of this campaign is not to be underestimated, as Matt Hull, the global head of threat intelligence at NCC Group, highlights. He emphasizes that Clop has managed to extort numerous organizations through compromising a single environment. Therefore, organizations must remain vigilant in safeguarding their own environments while also paying close attention to the security protocols of the organizations they collaborate with in their supply chain.
According to NCC Group’s report, a total of 502 ransomware-related attacks were recorded in July, marking a 16% increase from the previous month and a staggering 154% rise compared to July 2022, which only saw 198 attacks. Out of these 502 attacks, the Clop gang was responsible for 171 (34%) of them, making them the leading ransomware threat. LockBit ranked second with 50 attacks (10%).
LockBit’s rise to dominance in the ransomware landscape began after the notorious Conti gang disbanded mid-last year. The authors of LockBit seized the opportunity to revamp their affiliate program and attract former Conti partners. This ransomware-as-a-service (RaaS) operation relies on affiliates to infiltrate enterprise networks and execute the ransomware program in exchange for a significant percentage of the ransoms.
On the other hand, Clop has been operational since 2019, initially functioning as an initial access broker (IAB) by selling access to compromised corporate networks to other groups. Additionally, Clop operated a large botnet specializing in financial fraud and phishing activities. A recent advisory from the Cybersecurity and Infrastructure Security Agency (CISA) reveals that the Clop gang, along with its affiliates, has breached more than 3,000 organizations in the United States and over 8,000 globally to date.
What makes the Clop actors particularly notorious is their ability to develop zero-day exploits for popular enterprise software, with a focus on MFT applications. Their track record includes exploiting Accellion File Transfer Appliance (FTA) devices in 2020 and 2021, Fortra/Linoma GoAnywhere MFT servers in early 2023, and most recently, the MOVEit transfer deployments in June. The MOVEit attack campaign is estimated to have impacted up to 500 organizations.
These rising numbers and the dominance of groups such as Clop and LockBit highlight the urgent need for organizations to prioritize their cybersecurity strategies and invest in robust defense mechanisms. Ransomware attacks continue to pose a significant threat to businesses of all sizes, and staying one step ahead of these malicious actors is crucial. By implementing effective security measures, organizations can mitigate the risks posed by ransomware attacks and safeguard their valuable data and operations.