MOVEit Exploit - Clop Ransomware Gang
Earlier this week, Clop, a Russia-linked ransomware gang began extorting companies it targeted with an exploit in MOVEit, a file-transfer software. The ransomware gang announced it had breached hundreds of companies and began listing their names following a 14 June deadline to begin negotiations. Since then, multiple companies have been listed on Clop's dark web page, including Shell, UnitedHealthcare Student Resources (UHSR), the University of Georgia (UGA) and University System of Georgia (USG), Heidelberger Druck, Landal Greenpark, 1st Source, First National Bankers Bank, Putnam Investments, and GreenShield Canada.
Others have come forward that they have become victims of the exploit, including Johns Hopkins University, the government of Nova Scotia, the states of Missouri and Illinois, and the American Board of Internal Medicine. It is unclear if these organizations were targeted by Clop or other ransomware gangs utilizing the MOVEit exploit.
On 15 June, it was reported that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) was working with several U.S. federal agencies that had also been breached using the MOVEit vulnerability. Clop stated that they will erase data breached from the military, children's hospitals, and federal governments.
Hackivist Activity
Also on 15 June, Hacktivist groups Killnet, Anonymous Sudan, and REvil announced plans to threaten the whole of the European banking system, starting with the SWIFT international communications system. The groups claim it is retribution for European support of Ukraine in the conflict with Russia. All three groups have been previously linked to the Russian security service GRU. The GRU directs multiple official and unofficial hacking groups and operates at the behest of President Putin.
Russian National Charged
Additionally on 15 June, the U.S. Department of Justice arrested and charged Ruslan Magomedovich Astamirov, a Russian national, with conspiring to commit LockBit ransomware attacks against U.S. and foreign businesses from 2020 - 2023. The arrest and prosecution of Astamirov highlights the risks of Russia-based hackers targeting the U.S., especially amid continued U.S. support for Ukraine against Russia.
Analysis
The spike in hacking activity from Russian-linked groups or individuals reaffirms that both Russian-sponsored or directed groups and unaffiliated hackers based in Russia pose a significant threat to the U.S. Cybercrime and disruptive hacks are just one part of Russia's arsenal in its conflict against the West. Additional vulnerabilities can and will be exploited by these groups in the future and companies and organizations need to prepare now by hardening their networks, training staff, and building crisis response plans.
Recommendations
- Update defenses with everything known about the MOVEit vulnerabilities and capabilities of Clop and other groups.
- Consider deploying behavioral anti-ransomware across systems and networks.
- Contact Global Guardian for support in the case of a hack or to discuss hardening options.
Support
Global Guardian is closely monitoring the situation and can support clients who need assistance with:
- Remediation
- Cyber assessments
- Network hardening
Click below to contact Global Guardian's 24/7 Operations Center or call us directly at +1 (703) 566-9463.
