The Cl0p ransomware group has recently been in the spotlight for its involvement in the mass-hack of a newly discovered vulnerability in the widely-used MOVEit file transfer application. As victims continue to come forward with data breaches linked to the bug, and Cl0p expands its list of targets, ZeroFox has conducted a detailed analysis of the threat group’s activities. According to their findings, Cl0p typically remains relatively inactive for several months before launching a series of high-tempo attacks that last for several weeks.
Unlike many ransomware groups that encrypt infiltrated software, Cl0p’s usual strategy is to exfiltrate the data and then issue ransom demands. The timing of the attacks does not follow a specific pattern, likely due to the unpredictable nature of zero-day vulnerabilities. However, in the case of the MOVEit attacks, it is believed that the group had identified the bug as early as March 2023 but chose to delay exploitation until Memorial Day in the United States, when security teams would likely be less vigilant.
In relation to the MOVEit attacks, several additional victims have recently come forward. Deutsche Bank, a German multinational investment bank, has revealed that it shared customer data with a third-party vendor that was impacted by the MOVEit hacks. The bank has chosen not to disclose the vendor’s identity, but sources indicate that it is Majorel Germany, which provides account switching services for multiple German banks. Majorel Germany confirmed that it experienced a MOVEit attack, clarifying that it occurred before the vulnerability became public and only affected a single system running MOVEit software in Germany. The compromised data from Deutsche Bank includes customer names and International Banking Account Numbers, which, although they do not grant access to the customers’ accounts, could be used for unauthorized direct debits. Other German banks, including ING Bank, Postbank, and Comdirect, have also disclosed customer data leaks associated with the MOVEit hack.
On the other side of the Atlantic, PlainsCapital Bank in Texas confirmed that one of its vendors was impacted by the MOVEit vulnerability. The unauthorized party was able to access sensitive customer data, including Social Security numbers and bank account numbers. The bank was notified of the breach on June 27th and began notifying affected individuals on July 14.
In a separate incident, HCA Healthcare, a US-based medical facilities operator located in Tennessee, is facing multiple lawsuits in connection with a massive data breach that was revealed earlier this month. HCA stated that the attacker had exfiltrated data from an external storage location and subsequently posted it online. Up to 11 million patients across nineteen states were affected by the breach, and complainants from Tennessee, California, Florida, and Texas have filed lawsuits. Attorney Tricia Herzfeld, who represents a patient from Nashville, Tennessee, said that the purpose of her complaint is to hold HCA accountable for safeguarding patient information. HCA has reassured patients that their commitment to their well-being remains unwavering and is not affected by the lawsuits or legal proceedings.
As the Cl0p ransomware group continues its spree of attacks, organizations must remain vigilant in patching vulnerabilities and implementing robust cybersecurity measures. The increasing number of victims, coupled with the significant impact on individuals and businesses alike, highlights the urgent need for proactive cybersecurity practices to combat evolving threats.