A new mass ransomware attack is making headlines. As the Washington Post reports in a recent article, “The latest mass ransomware attack has been unfolding for nearly two months,” major U.S. corporations have fallen victim to an attack that may have origins dating back to late January.
Victims include several high-profile domestic and international corporations, including:
- Procter & Gamble, producer of highly visible brands like Tide and Old Spice
- Virgin Group
- U.K. Pension Protection Fund
- US Wellness
- Rubrik, a data security company
- Community Health Systems, a healthcare provider
- Hitachi Energy
Mass Ransomware Attacks Highlights Evolving Approach by Ransomware Gangs
The slow-motion nature of the mass ransomware attack is a relatively new development in the world of cybercrime. As the Washington Post reports, the ransomware gang responsible, Clop (sometimes listed as Cl0p), claims it has attacked 130 victims through a “zero-day” exploit in a commonly-used file-transfer software.
The attack marks the second mass ransomware attack uncovered so far in 2023 — an uptick from 2022, when there were fewer reported attacks and fewer victims who were willing to pay to have their systems unlocked or their data kept private.
Clop is thought to have exploited a vulnerability in the Fortra file-transfer tool, GoAnywhere. While the attack hasn’t affected as many organizations as another mass ransomware attack this year (the ESXiArgs campaign attack in February), it is notable for creating more trouble for the individual organizations.
Timeline of 2023 Clop Mass Ransomware Attack
Jan. 30 to Jan. 31 – Fortra experiences unauthorized access to GoAnywhere.
Feb. 1 – Forta issues a private notice on its customer portal about the zero-day exploit. Soon after, Hatch Bank sends a notice to customers about the unauthorized access incident.
Feb. 7 – Fortra releases a fix for the vulnerability.
Fortra has faced scrutiny for the way it handled reporting the incident to its customers. Following the attack, TechCrunch reported that Forta assured corporate customers that their data was safe when it wasn’t. Two victim organizations told the outlet that they didn’t learn they’d lost data to hackers until a ransom demand arrived, despite what Fortra told them.
According to The Post, a Fortra spokesperson said the company “immediately took multiple steps” after being “made aware of suspicious activity” with the GoAnywhere software. The company worked with the Cybersecurity and Infrastructure Security Agency (CISA) to add the GoAnywhere vulnerability to its list of “must-patch” vulnerabilities in February. “We are taking this very seriously and continue to help our customers implement mitigation steps to address this issue.”
Scope of Clop 2023 Mass Ransomware Attack
Specific impacts of the Clop attack include:
- Employee information stolen (Procter & Gamble and U.K. Pension Protection Fund)
- Rewards system impacted (Virgin Group)
- Customer information exploited (US Wellness)
- Data of around 1 million patients exposed (Community Health Systems)
U.S. Government Response to Increase in Ransomware Gang Activity
The Post reports that the U.S. government seems to be prioritizing a disruption approach to taking down ransomware gangs and other cybercriminals, citing activity like the takedown of cybercrime forums and recovering ransomware payments made by victims to these groups.
The Department of Health and Human Services issued a notice in late February about the GoAnywhere incidents.
“The probability of cyberthreat actors like Clop targeting the healthcare industry remains high,” the notice read. “Prioritizing security by maintaining awareness of the threat landscape, assessing their situation, and providing staff with tools and resources necessary to prevent a cyberattack remains the best way forward for healthcare organizations.”