Malicious actors that successfully target software supply chains can maximize their reach, impacting the initial victims as well as their clients and clients’ clients. And Allan Liska, intelligence analyst at threat intelligence platform provider Recorded Future, noted that cyber extortion groups like CL0P have the money to buy zero-day vulnerabilities to compromise commonly used platforms.
Plus, perpetrators increasingly use threats to publish stolen data — more so than file encryption — to put pressure on victims and are exploring new ways of denying victims access to their data.
Still, cyber extortionists aren’t a monolith. While zero days make headlines, shoring up basic cyber defense can still go a long way toward defending against many of today’s ransomware attacks, said Tom Hofmann, chief intelligence officer for cyber intelligence and solutions provider Flashpoint.
And other extortionists are likely watching the MOVEit incident play out and drawing their own takeaways.
“With a lot of these, the first big attack, it gets the headlines, but these ransomware groups are learning at the same time,” Hofmann said. “They're seeing what worked well, what didn't, what tactics worked, and they're learning from each other. So, the next go-around is going to be different.”
TIMING AND ATTACK METHODS
With MOVEit, CL0P struck around Memorial Day, notes risk and financial advisory solutions provider Kroll. This follows a trend of perpetrators timing their attacks for holiday weekends. The 2021 ransomware attack on software from IT company Kaseya also hit right before the Fourth of July holiday.
Groups like CL0P also appear to be putting attention on targeting widely used platforms and exploiting zero-day vulnerabilities.
The MOVEit compromise was CL0P’s third known attack on a file transfer service, each one netting more victims. Its 2020 Accellion exploit stole data from roughly 100 companies, while the hackers said their early 2023 attack on GoAnywhere impacted about 130 organizations, per Bleeping Computer. By early July, more than 200 organizations were believed to be affected by the MOVEit hacks, with data breaches affecting more than 17.5 million people, Emsisoft threat analyst Brett Callow told TechCrunch. Of course, hitting victims and getting money out of them are two separate matters.
Cyber criminals can buy zero-day vulnerabilities, said Liska. Paying six figures for zero days in top-name software like Microsoft Exchange may be too spendy for most, but many ransomware groups do have the money to shell out up to five figures to buy zero days in lower-profile, widely used platforms like MOVEit, he said.
“You're not spending more than $100,000 and that. And as far as we can tell, CL0P’s made 100 times that at least from this particular attack,” Liska said. “So, in theory, if they reinvested all of that money, they could buy 100 more of these zero days to these types of platforms — or more — and still have money leftover to vacation in Sochi.”
Still, organizations shouldn’t forget about more traditional attack methods, Hofmann said. Roughly 90 percent of cyber extortionists still wage their attacks by taking advantage of unpatched Internet-facing systems, remote desktop protocol (RDP) connections where multifactor authentication (MFA) has yet to be implemented, or phishing and stolen credentials.
SOFTWARE SECURITY?
MOVEIt software creator Progress announced that the initially exploited vulnerability — as well as one discovered a few weeks later — took advantage of SQL injection vulnerabilities in the tool.
“These are among the oldest forms of vulnerability and are the result of poor coding practices that are preventable,” reported Ars Technica.
Federal efforts are underway to push software developers to design offerings with security baked in, thus improving overall safety of the software landscape.
“That’s a good way to go, because a lot of these platforms that are heavily relied on are rickety, because they're not looked at — they've been traditionally ignored by bad guys,” and that picture is changing, Liska said.
Realizing that a secure-by-design vision could take decades, in the meantime, organizations should use a defense-in-depth approach to better protect themselves, Liska said.
DATA BREACH AND SECURE DELETE
In ransomware’s early days, perpetrators encrypted files and demanded payment. But other methods may be gaining more popularity. A recent report found attackers increasingly pressuring victims by stealing their data and threatening to publish it, sometimes — but not always — pairing this with file encryption.
Organizations with sophisticated backup strategies may not need their files back, making traditional encryption-only extortion ineffective, said Lisa Forte, partner at cybersecurity training and consulting provider Red Goat Cyber Security. Plus encrypting and decrypting are tricky: “Often the malware would be so aggressive that it would corrupt files, so even if the victim paid and they got the decryption key, the file would be corrupted. So, it was quite difficult to make a business case for companies to pay the ransom,” Forte said. But threats to publish sensitive stolen data add new pressure.
And even when victims lack good backups — making encryption attacks particularly painful — some extortionists may still prefer the speed and efficiency of data theft-only attacks, Hofmann said.
Forte noted that while CL0P totally avoided encryption in its attack on MOVEit, many other threat actors have kept it in play. Even extortionists that, too, primarily use data theft as leverage against their victims often still lock up some parts of a victim’s network, as an opening salvo. The drama of a sudden file encryption and a ransomware splash screen appearing can grab victims’ attention.
“One minute you think you’re fine, and then next minute everything is locked, and you’ve got splash screens on every device,” Forte said. “That really brings the attention of the board. But definitely the main negotiating chip is the data that’s stolen.”
Liska has also seen some attackers adopt a new method of denying victims’ access to their files, creating a dramatic disruption while avoiding the technical complications and hassles of encryption. In these attacks, perpetrators exfiltrate their targets’ data then secure delete those files. Such a move rewrites the erased files with meaningless data, to prevent victims from being able to recover them. Extortionists can then demand ransom in exchange for sending victims back a copy of that exfiltrated data.
“When we talk about taking the data and then secure deleting it, in effect you are actually ‘stealing’ it at that point, because the data is no longer sitting on their [hard drives] unless it can be restored from backups. That's where I think this is going to go — I think we'll see more of that,” Liska said.
Of course, as Liska noted, victims might restore data from backups. But extortionists could still threaten to publish it.
NEGOTIATIONS
In the MOVEit compromise, not even CL0P seemed prepared for how much data it managed to steal.
The hackers appeared to hurry to exploit as many systems as possible with the zero day before a patch could be issued. That meant they were scooping up data without necessarily knowing who it came from. Since then, the hackers have been working to sort through their stores of data, Liska said.
Notably — and unusually — rather than contact its victims with extortion demands, CL0P instead posted a message on its dark website telling victims to contact it.
“They basically said, ‘Hey, if you were one of the victims, email us,” Liska said. “They didn't even have a good accounting of who all they hit.”
Organizations should take the threat seriously but shouldn’t rush to comply, Hofmann said. Past incidents have seen some threat actors only discover who they’d hit when the victims got in touch, and victims that begin negotiations without a clear plan in place risk making the situation worse for themselves. They draw threat actors’ attention and might make mistakes, such as inadvertently revealing how badly attacks have affected them, thus handing leverage to the extortionists. In general, victims should never reveal anything that isn’t already public knowledge, he said.
And victims should be wary of believing threat actors’ claims: Sometimes extortionists mistakenly think they’ve impacted an organization, when they’ve really hit another with a similar-looking website or one of the organization’s subsidiaries, Hofmann said. CL0P may have made such mistakes, with ZDNET reporting in 2022 that CL0P tried to extort Thames Water, when it appeared to have actually hit South Staffordshire Water.
All this underscores the need for organizations — including C-suite executives — to participate in practicing and planning incident response and negotiations, to be ready should an extortion attack hit. For example, entities need to pin down details like, how much to tell the public; at what point they might engage with the extortionists and who will do that; as well as who will decide whether to pay and how that transaction will be made.
WHO AND HOW TO PRESSURE?
Despite the messiness of the attack, Liska believes CL0P has been improving its extortion tactics. Tracking of publicly known wallets suggests that the GoAnywhere hack didn’t produce a lot of profit, but this time around, CL0P seems to have better determined how to monetize, he said.
CL0P has been gradually revealing its victims. This may in part indicate that it’s still working to sort through the stolen data, but also can be strategic, Liska said. Each new victim announcement returns public attention to the incident, keeping it in the news for months — rather than weeks — which may put more pressure on victims. Still, Hofmann said that, unlike for some past incidents, media reporting on MOVEit hasn’t been critical of the impacted organizations: “The optics of it, from a public perspective, are a little bit different,” because many entities were affected via “a trusted third-party vendor who was brought in specifically for” protecting sensitive data.
Forte said CL0P appeared to struggle at first to determine which entities to extort in the affected software supply chain. They’d compromised a file transfer tool created by Progress, and doing so let them obtain data handled by U.K. payroll solutions provider Zellis, for example. That data included payroll information on Zellis’ own clients, such as the BBC and British Airways.
“There was a lot of confusion in the early days as to whether they were asking the actual end victims — i.e., the BBC, British Airways, etc. — or whether they were asking Zellis, or whether they were asking the company behind the MOVEit software,” Forte said. “The problem they had was that they didn't realize the complexity of the supply chain that they were hitting.”
When choosing which impacted entities to threaten, cyber extortionists are often playing for media attention, Liska said. They typically threaten to publish data from whichever impacted entities within the supply chain have the biggest name recognition. Threatening widely recognized end users will get more publicity, even if it technically was another entity's software that was compromised.
“It doesn’t matter whether or not they actually hit Ernst & Young or PwC. What matters is there's EY and PwC data that they got there,” Liska said. “… You have to write about that as a journalist, because they are such big companies and they [cyber extortionists] know that.”
PROMISES TO GOVERNMENT?
CL0P said it would delete any data it had stolen from government, per TechCrunch. Opinions vary over whether organizations can believe these kinds of claims.
On the one hand, cyber criminals have a brand to protect, and some ransomware groups have followed through on promises to help restore data stolen from hospitals, for example, Forte said.
Victims have little motive to pay criminals who are known to go back on their word: “The ransomware groups in general … tend to be quite ‘honorable’ to their word. They need to do that because they have to maintain a good brand image to get insurers, etc., to pay them when they hit other companies.”
Plus, ransomware actors may hope that deleting data from entities like governments and hospitals could make them less of a priority for federal law enforcement. They also may hope it helps their image “so they don’t look quite so evil,” she said.
Liska, meanwhile, said cyber criminals often give lip service to deleting the data in hopes of easing authorities’ attention on them, but he expects CL0P to still share or sell the government data.
“You should never assume a ransomware actor is actually going to delete stolen data — they will claim it up and down … [but] once that data is stolen, that is out there and you have to assume that it’s going to be out there forever,” Liska said.
One possible buyer? The Russian government. There appears to be “some evidence” suggesting a level of coordination between some cyber crime groups and the Russian government, which could enable gangs like CL0P to make such a sale, Liska said. But he cautioned against overstating this relationship, emphasizing the unavailability of evidence to indicate the Russian government is controlling the cyber criminals.