Clop ransomware dominates ransomware space after MOVEit exploit campaign

The number of ransomware attacks in July rose over 150% compared to last year and the actors behind the Clop ransomware were responsible for over a third of them. The gang took the lead from LockBit as the top ransomware threat after exploiting a zero-day vulnerability in a managed file transfer (MFT) application called MOVEit in June. While the MOVEit attacks were used for data theft and subsequent extortion, they were not used to deploy the actual Clop ransomware program, even though the actors behind the attacks are associated with this ransomware program and took credit for the campaign.

"This campaign is particularly significant given that Clop has been able to extort hundreds of organizations by compromising one environment,” Matt Hull, global head of threat intelligence at NCC Group, said in a report. “Not only do you need to be vigilant in protecting your own environment, but you must also pay close attention to the security protocols of the organizations you work with as part of your supply chain.”

Clop takes the ransomware lead

NCC Group has recorded 502 ransomware-related attacks in July, a 16% increase from the 434 seen in June, but a 154% rise from the 198 attacks seen in July 2022. The Clop gang was responsible for 171 (34%) of the 502 attacks while LockBit came in second with 50 attacks (10%).

LockBit has dominated the ransomware space since the middle of last year after the notorious Conti gang disbanded and the LockBit authors revamped their affiliate program to fill the void and attract former Conti partners. Ransomware-as-a-service (RaaS) operations such as LockBit rely on collaborators called affiliates to break into enterprise networks and deploy the ransomware program in exchange for a hefty percentage of the ransoms.

Clop is also a RaaS operation that has existed since 2019 and before that it acted as an initial access broker (IAB) selling access to compromised corporate networks to other groups. It also operated a large botnet specialized in financial fraud and phishing. According to a CISA advisory, the Clop gang and its affiliates compromised over 3,000 organizations in the US and over 8,000 globally to date.

The Clop actors are known for their ability to develop zero-day exploits for popular enterprise software, especially MFT applications. The group exploited Accellion File Transfer Appliance (FTA) devices in 2020 and 2021, Fortra/Linoma GoAnywhere MFT servers in early 2023, and MOVEit transfer deployments in June — an attack campaign that’s believed to have affected up to 500 organizations.

“It has been noted by some in the industry that the attack and its wide-scale impact marks a shift in the ransomware model,” the NCC Threat Intelligence team said. “Clop's focus was on extorting data from MOVEit's environment, using this to extort implicated organizations.”

North America remains the most targeted region for ransomware

According to NCC’s July data, North American organizations remained at the top of the target list for ransomware actors, being targeted in 274 (55%) of the observed attacks. Europe was the second-most targeted region, followed by Asia in third.

The industrials sector — professional goods and services — has remained a top target and not only for ransomware groups but other threat actors as well, including state-sponsored ones, because it holds a large amount of sensitive information and intellectual property. The sector was the target for 155 (31%) of the ransomware attacks seen in July and top three ransomware gangs for July — Clop, LockBit and 8Base — were responsible for 48% of attacks against companies from this space. The second most targeted sector was the Consumer Cyclicals (16%), followed by Technology (14%), according to NCC.

“Alongside established players, like Cl0p and Lockbit 3.0, we're also seeing the growing influence of new groups,” Hull said. “They are introducing new tactics, techniques and procedures, underscoring how important it is for organizations to remain up to speed with changes in the threat landscape.”