The CL0P (aka TA505) ransomware crew recently hit the state of Illinois computer systems, exploiting a flaw in the MOVEit Transfer file-sharing software to launch a wide-ranging cyber assault.
Illinois officials confirmed the May 31 cyberattack, which also hit the British Broadcasting Company (BBC), British Airways and Nova Scotia, Canada’s government, an Associated Press report said. A retail chain in the U.K. and the Walgreen’s pharmacy were also attacked, Crain’s Chicago Business reported.
Cybersecurity experts said that CL0P had been investigating targets and stealing data two months before the Illinois attack, the AP said.
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure and Security Agency (CISA) both pointed the finger at CL0P as responsible for the attacks.
CISA's Advice for CLoP Ransomware Victims
CISA issued a set of mitigations for organizations hit by the ransomware to protect themselves:
- Take an inventory of assets and data, identifying authorized and unauthorized devices and software.
- Grant admin privileges and access only when necessary, establishing a software allow list that only executes legitimate applications.
- Monitor network ports, protocols, and services, activating security configurations on network infrastructure devices such as firewalls and routers.
- Regularly patch and update software and applications to their latest versions and conduct regular vulnerability assessments.
CL0P Gang Requests Ransoms
Managed service providers (MSPs) are a favorite target of the CL0P gang, responsible for 11% of attacks in 2022, according to a ConnectWise report. There is no word at this point if this attack has spread to service providers.
However, on its website, CL0P suggested that the attack could have spread to hundreds of organizations. The gang gave victims two weeks, until June 14, to negotiate a ransom or its data would appear on public websites.
In commenting on the TA505 attacks, CISA said:
“Considered to be one of the largest phishing and malspam distributors worldwide, TA505 is estimated to have compromised more than 3,000 U.S.-based organizations and 8,000 global organizations."