Clop ransomware gang begins extorting GoAnywhere zero-day victims

Clop ransomware gang begins extorting GoAnywhere zero-day victims

Clop ransomware gang begins extorting GoAnywhere zero-day victims

The Clop ransomware gang began extorting companies whose data was stolen using a zero-day vulnerability in the Fortra GoAnywhere MFT secure file-sharing solution.

In February, the developers of the GoAnywhere MFT file transfer solution warned customers that a zero-day remote code execution vulnerability exploited in exposed administrative consoles.

GoAnywhere is a secure web file transfer solution that allows companies to securely transfer encrypted files with their partners while maintaining detailed audit logs of who accessed the files.

While no details have been shared publicly about how the vulnerability was exploited, a The proof-of-concept exploit was released soonfollowed by a patch for the flaw.

A day after the release of the GoAnywhere patch, the Clop ransomware gang contacted BleepingComputer and claimed responsibility for the attacks.

The extortion group said they used the flaw for ten days to steal data from 130 companies. At the time, BleepingComputer could not independently confirm these claims, and Fortra did not respond to our emails.

Since then, two companies, Community Health Systems (CHS) and Hatch Bankdisclosed that data was stolen in the GoAnywhere MFT attacks.

Clop starts extorting GoAnywhere customers

Last night, the Clop ransomware gang began publicly exploiting victims of GoAnywhere attacks by adding seven new companies to their data leak site.

Only one of the victims, Hatch Bank, is publicly known to have been breached using the vulnerability. However, BleepingComputer found that at least two other listed companies had their data stolen using this flaw as well.

All entries on the data leak site state that a data release is “imminent” but include screenshots of the alleged stolen data.

Hatch Bank is listed on the Clop data leak site
Hatch Bank is listed on the Clop data leak site
Source: BleepingComputer

Furthermore, BleepingComputer has been told that victims have started receiving ransom demands from the ransomware gang.

While it’s unclear how much the threat actors are demanding, they previously demanded a $10 million ransom in a similar fashion. attacks using an Acccellion FTA zero-day vulnerability in December 2020.

During these attacks, the extortion group stole large amounts of data from nearly 100 companies worldwide, with threat actors slowly exfiltrating data from companies while demanding millions dollar ransom.

Organizations that had their Accelion servers hacked included, among others, energy giant Shell, cybersecurity firm Qualys, supermarket giant Krogerand many universities around the world such as Stanford Medicine, University of ColoradoUniversity of Miami, University of California, and University of Maryland Baltimore (UMB).