Clop Ransomware Now Uses Torrents to Leak Data and Evade Takedowns

Cyber Security Threat Summary:
The Clop ransomware gang has changed their extortion approach once more, now employing torrents to release the data they stole during MOVEit attacks. The ransomware gang started extorting victims on June 14 by gradually adding names to their Tor data leak site and eventually making the files public. However, the slow download speed on Tor sites limited the potential damage. To address this, Clop created clearweb sites for leaking stolen data, but they are more susceptible to takedowns by law enforcement and companies. As a new solution, they have now turned to using torrents to distribute data stolen from the MOVEit attacks.

“According to security researcher Dominic Alvieri, who first spotted this new tactic, torrents have been created for twenty victims, including Aon, K & L Gates, Putnam, Delaware Life, Zurich Brazil, and Heidelberg. As part of this new extortion method, Clop has set up a new Tor site providing instructions on how to use torrent clients to download the leaked data and lists of magnet links for the twenty victims. As torrents use peer-to-peer transfer among different users, the transfer speeds are faster than the traditional Tor data leak sites. In a brief test by BleepingComputer, this method resolved the poor data transfer issues, as we were receiving 5.4 Mbps data transfer speeds, even though it was only seeded from one IP address in Russia. Furthermore, as this distribution method is decentralized, there is no easy way for law enforcement to shut it down. Even if the original seeder is taken offline, a new device can be used to seed the stolen data as necessary” (BleepingComputer, 2023).

Security Officer Comments:
If this approach proves successful for Clop, they are likely to continue using it to leak data. It’s easier to set up, doesn’t require a complex website, and can put more pressure on victims due to the wider distribution of stolen data. According to coverware, Clop is projected to earn $75-100 million through extortion payments. Not many victims may be paying, but the threat actors have convinced a few companies to pay substantial ransom demands, leading to these high earnings. Whether the use of torrents will lead to more payments remains uncertain, but with such significant earnings, it might not make a difference.

Suggested Correction(s):
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.

Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk- based assessment strategy to drive your patch management program.

Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?

Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.

Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.

Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained how to avoid and spot phishing emails. Multi Factor authentication can help prevent malicious access to sensitive services.