Human security

Cl0p Ransomware Gang Attempt To Overthrow The House Of Cards

When I wrote the introduction to our recent report Organizations at risk: Ransomware attackers don’t take vacations, I have outlined the current factors and trends that may be affecting the upcoming holiday season.

“Combine that with a fragile economy, struggling supply chain logistics and the likelihood of a major ransomware attack over the next vacation and we have a house of cards scenario that could collapse if something hits. the proverbial table. “

The Clop ransomware gang just tried to overturn the table.

Struggling supply chain

Swire Pacific Offshore (SPO) has indicated that it suffered a ransomware attack, and where attackers may have compromised sensitive employee information. The Cl0p ransomware gang claimed responsibility and shared screenshots of some of the data for verification. The world is struggling to resolve shipping and supply chain issues, so an attack on a shipping company could potentially have a tragic ripple effect.

Cl0p Ransomware Gang

We watched the Cl0p ransomware gang since 2020, so we know how the group works very well. It appears that SPO’s compromised data was exfiltrated primarily from email archives, which matches their history of targeting vulnerable Microsoft Exchange servers.

The Cl0p ransomware gang was the subject of a 30-month international investigation dubbed “Operation Cyclone” which resulted in 20 raids across Ukraine after the group targeted E-Land in a combination of malware from point of sale and ransomware attack on two fronts. The fact that the group survived this scrutiny and is still active indicates that the core members were not caught up in these raids. They are most likely based in Russia, which has a habit of tacitly supporting cybercriminals with attacks tolerated and ignored by the state.

To pay or not to pay?

Fortunately, it looks like the House of Cards will survive this attack. The company said no confidential company data had been compromised or exposed and the attack had no significant impact on operations. Shipping and the supply chain are not expected to be affected by this attack.

Of course, this does not help employees who have had sensitive personal data stolen or exposed. We don’t know if SPO was able to restore data from the backups, or if it is negotiating to reduce the ransom demand or maybe already paid the ransom to prevent further leaks of employee data.

The question of whether or not to pay a ransom is difficult. It might seem like a good idea to just pay the ransom and resume business as usual, but it’s not that simple. It is not a good idea to pay a ransom unless doing so endangers human life, public safety, or poses an existential threat to the survival of the business. We shared the results of research earlier this year which revealed that nearly half of organizations that pay ransom still are unable to recover all of their data. We also found that 80% of companies that admitted to paying a ransom were hit a second time, often by the same ransomware gang.

Cooperation among allied nations and between the public and private sectors is encouraging and will help bring cybercriminals to justice. However, with countries like Russia providing a safe haven, this remains a significant challenge. It also doesn’t directly help organizations that fall victim to ransomware attacks, or do anything to protect you from being the next victim.

You can expect ransomware gangs to work overtime during the remaining vacations this year to try to overthrow this house of cards. You need to have the right tools to detect and stop ransomware before your data is encrypted, and make sure you have a specific plan in place to respond quickly and effectively to a ransomware attack over a weekend or holiday. .