Secureworks® Counter Threat Unit™ (CTU) researchers are investigating an increase in the number of victims posted on the Clop ransomware leak site. Clop ransomware was first identified in February 2019 and is attributed to the financially motivated GOLD TAHOE threat group (also known as TA505), which has been active since at least 2015. A March 2023 Secureworks incident response engagement revealed another group, likely GOLD NIAGARA, deploying this ransomware.
The Clop leak site listed 91 victims in March 2023, which is more than 65 percent of the total number of victims published between August 2020 and February 2023 (see Figure 1). This sudden increase in victims is likely associated with February 2023 claims that the threat group exploited a zero-day vulnerability (CVE-2023-0669) in the Fortra GoAnywhere MFT secure file transfer tool to access and steal data from 130 organizations. If the claim is true, additional victims will likely be published to the leak site. This surge in activity focused on data theft and extortion. Unlike previous Clop campaigns that encrypted compromised networks after data exfiltration using a randomly generated AES key, there is no evidence as of this publication that these victims' systems were encrypted.
Figure 1. The number of victims listed on the Clop leak site between August 2020 and March 2023, with significant events indicated. (Source: Secureworks)
Many of the alleged victims of the GoAnywhere attack are high-profile multi-billion-dollar organizations. Fortra GoAnywhere MFT is used in over 3,000 organizations, predominantly ones with over 10,000 employees and revenues of more than $1 billion USD. Threat groups often use an organization's revenue to calculate the ransom demand. Despite ransom details being private, they are estimated in the tens of millions of dollars for many of the affected companies. However, the ransom amount may be influenced by the perceived value of the data. One victim publicly stated that "the files in question pose no risk to customers or employees as they contain no personal data," making it less likely that the organization would pay a large ransom.
This is the second time that GOLD TAHOE exploited vulnerabilities in a file transfer tool to target multiple victims. The first exploit in 2021 leveraged a flaw in the legacy Accellion File Transfer Appliance (FTA) software, which at the time was used by approximately 300 customers. Accellion claimed that less than 100 of its customers were compromised and that fewer than 25 suffered significant data theft. Although Clop was not deployed in all of these breaches, the threat actors exfiltrated data and posted victims to their leak site. As a result, March 2021 held the record for the most victims published to the site until March 2023.
The GoAnywhere exploit's opportunistic nature means that there is a lack of clarity regarding the value of the stolen data. The threat actors stated that they only exfiltrated data stored on compromised GoAnywhere MFT servers. However, they claimed to have the ability to move laterally through compromised networks and deploy ransomware. They may have decided not to deploy ransomware so they could target as many organizations as possible, rather than taking time to identify valuable information on individual networks and risk losing access to the wider victim base. There is insufficient evidence to confirm if the threat actors had the potential for lateral movement.
In a widespread attack involving a large number of victims, it is inevitable that some organizations would be more impacted than others. Some compromises only impacted victims' testing environments. Other breaches involved theft of sensitive customer data.
The March 2023 activity shows that the Clop operators have recovered from law enforcement action in November 2021. Ukrainian authorities arrested six individuals as part of Interpol's Operation Cyclone for their role in attacks against Korean companies and U.S. academic institutions.
CTU™ researchers advise organizations using GoAnywhere MFT to review the Fortra advisory and upgrade as appropriate. Fortra published mitigations for customers who cannot upgrade.
Learn more about the ransomware threat:
- 2022 State of the Threat: A Year in Review
- Ransomware Evolution
- Phases of a Post-Intrusion Ransomware Attack
If you need urgent assistance with an incident, contact the Secureworks Incident Response team.