Fraudsters have recently been identified impersonating the notorious Clop ransomware gang in an attempt to extort businesses, according to researchers from Barracuda Networks. This scheme is part of a larger trend where scammers pose as high-profile ransomware actors, claiming to have accessed sensitive data and demanding payments from their targets.
In a recent incident, the attackers exploited a vulnerability in managed file transfer firm Cleo to gain unauthorized access to a victim company’s network. They alleged that this breach enabled them to download and exfiltrate data from the servers. To add credibility to their claims, the threat actors included a link to a media blog post reporting that Clop had successfully stolen data from multiple Cleo customers using a similar approach.
Exploiting vulnerabilities in managed file transfer software has been a common tactic employed by the Clop ransomware gang to target victims en masse. In the fake extortion email, the victim was threatened with the publication of their stolen information on Clop’s “Blog” unless a payment was made. The attackers provided a series of contact email addresses for the victims to reach out to.
The researchers from Barracuda Networks emphasized that the email displayed all the signs of a scam, as it lacked key elements typically associated with genuine Clop ransomware extortion demands. They advised recipients to be cautious and take immediate action if they received emails featuring a 48-hour payment deadline, links to secure chat channels for ransom negotiations, and partial names of breached companies.
The fake Clop extortion emails often refer to media coverage of actual Clop ransomware attacks in an attempt to appear legitimate. This tactic is used to deceive victims into believing the threats are genuine and to prompt swift action on their part.
This revelation comes on the heels of reports from GuidePoint Security and the FBI, which uncovered fraudsters sending extortion letters to businesses claiming to be from the BianLian ransomware group. The attackers purport to have infiltrated the recipient’s corporate network and stolen sensitive data, mirroring the language typically found in legitimate ransom notes.
In addition to these extortion schemes, Barracuda’s March Email Threat Radar report highlighted an increase in phishing attacks utilizing techniques designed to evade traditional security defenses. One such technique involves the LogoKit phishing-as-a-service platform, which distributes malicious emails posing as urgent password reset requests.
LogoKit, active since 2022, allows attackers to dynamically adjust phishing pages in real-time as victims enter their credentials, making the fraudulent websites appear more legitimate. The platform can also integrate with various messaging services, social media platforms, and email clients to distribute phishing messages, making detection challenging.
The phishing emails distributed via LogoKit typically feature headers like “Password Reset Requested” or “Immediate Account Action Required,” prompting recipients to click on a link that redirects them to a counterfeit login portal. Victims are then prompted to enter their credentials, which are captured by the attacker.
Furthermore, Barracuda highlighted a rise in the use of Scalable Vector Graphics (SVG) attachments in phishing attacks. SVGs, which contain XML-like text instructions for drawing vector-based images, are increasingly used to deliver malicious payloads due to their ability to embed scripts that evade detection by security tools.
As cybercriminals continue to evolve their tactics and exploit vulnerabilities in various technologies, organizations and individuals must remain vigilant and implement robust cybersecurity measures to protect against such threats.