Clop’s Accellion Breach Related Attacks
In December 2020, Clop leveraged a zero-day vulnerability in Accellion legacy File Transfer Appliance (FTA) servers to steal customer data. Accellion is a third-party provider of hosted FTA services. Firms generally use these services to share large files that cannot be sent via email with individuals outside their organization. The Clop ransomware group and its affiliates are now using the stolen data to carryout ransomware attacks against Accellion customers. The group has been reportedly demanding ransoms of $10 million in Bitcoin from victims, in exchange for their stolen data. If the victims refuse to pay, the group threatens to publish the stolen data on their CL0P^_- LEAKS shaming website. One such victim is a famous law firm, Jones Day, who was attacked in February this year. The latest victims are two US universities, namely the University of Colorado and the University of Miami. Screenshots of the information stolen from these two universities are beginning to appear on the dark web. These screenshots are being used to extort money from both universities.
Stolen Data
A notification published by the University of Colorado last month stated that students’ and perspective students’ personally identifiable information had been breached. Also breached was “employee personally identifiable information, limited health and clinical data, and study and research data”. The screenshots appearing on Clop’s leak website include university financial documents and enrolment information. Also being posted are screenshots of student grades, academic records and biographical information. The University of Miami initially did not acknowledge having suffered a security breach. However, screenshots of stolen patient data possibly belonging to the university’s health system have also appeared on Clop’s leak website. The screenshots are of a spreadsheet containing patients’ email addresses and phone numbers, as well as medical records and demographic reports. The university has since stated that “While we believe based on our investigation to date that the incident is limited to the Accellion server used for secure file transfers, we continue to enhance our cybersecurity program to further safeguard our systems from cyber threats.”
Clop Uses Unexpected New Tactic
In an unexpected turn of events, Clop is now contacting clients of firms who have fallen victim to Accellion’s breach. Clop is sending emails to these individuals using email information the group has found in the stolen data. The emails warn them that their data will soon be published online if the firm does not pay the ransom. “Perhaps you bought something there and left your personal data. Such as phone, email, address, credit card information and social security number,” the Clop emails reportedly state. The emails then urge these individuals to demand the firms pay the ransom in order to protect their privacy. It is not certain whether this added pressure would induce a firm to pay the ransom. However, Clop is not the only ransomware group to use this tactic. The REvil ransomware group was also seen using the same tactic earlier this month.