Clop Ransomware group is mimicking the ALPHV ransomware group’s extortion technique. Individual victims will be able to access specialised web pages over the Internet. This allows them to simply disclose the stolen data and put additional pressure on the victims to pay the ransom.
A ransomware group starts a cyber-attack against a business organisation by stealing information from the network. They then go on to encrypt files on the infected machine after this. When victims receive threats with the release of their sensitive information if the ransom is not paid, the stolen data turns into a powerful leverage weapon in double-extortion attacks.
The data that the Clop ransomware gang stole from the MOVEit Transfer platform in May is currently being made available. On a clearweb website, this information is open to everyone. The group was able to take advantage of a previously undiscovered weakness in the secure file transfer infrastructure, leading to a massive data breach that had a negative impact on various businesses and government organisations throughout the world.
It’s intriguing that Clop chose to present the material in the form of downloadable files instead of organising it into easily searchable components. Unexpectedly, they decided to host the website without using the Tor network, which has historically been a regular practice in data breaches.
The Tor network is where ransomware data leak sites are located since it makes it difficult for government officials to take down the website. However, this hosting approach poses a unique set of challenges for the ransomware developers.
Clop Ransomware Employed New Technique
A clearweb website is directly hosted on the Internet, as opposed to anonymous networks like Tor. This innovative method makes it easier to retrieve the data and is likely to lead to search engines indexing the material, which would help the wider sharing of the leaked data.
A specific Tor browser is required to access these sites, and search engines are unable to index the exposed material. Furthermore, download speeds are typically slow.
The PWC business consultancy company was the first target of the clop ransomware group’s website. The company’s stolen data, which was broken up into four different ZIP folders, was leaked via this website. The threat actors also created websites for Kirkland, TD Ameritrade, EY (Ernst & Young), and Aon.
Contrary to ALPHV’s complicated websites from the previous year, Clop’s websites are simple. They just offer links to download the material, not a searchable database like BlackCat’s sites.
Perhaps the Clop ransomware group believes it to be a more effective strategy for victim extortion. Due to their constrained reach, darknet services hosted via Tor are no longer attractive for data release. Despite the privacy that Tor offers, not all users can visit the sites without the Tor browser. On the surface web, however, anyone with access to the website address may quickly retrieve the stolen data.
All known Clop clearweb extortion websites are currently down. Whether it was because of law enforcement seizures, DDoS attacks by cybersecurity companies, or a shutdown by hosting companies and registrars is yet unknown. It raises questions about the feasibility of this extortion approach given how simple it is to take down these sites.
Successful ransomware attacks are most-often preceded by phishing emails. Help your colleagues keep a security-first mindset and boost your human firewall by starting your Phishing Tackle security awareness training today with our two-week free trial.