Recent Clop ransomware attacks are a reminder to veterinary practices around the world that cyber attacks are evolving and devising new methods to exert maximum pressure on their victims.
To achieve this, the ransomware operation is contacting clients of organizations it has successfully compromised and urging these clients to contact their organization and urge them to pay the ransom or else hacked data will be released to the internet. Through emails obtained from the hacked organization, the new strategy not only shares information about data compromises with clients but also threatens clients that if their demands are not met, then all information will be leaked online.
Why threaten victims’ clients?
Clop ransomware has become among the first in the trend of stealing encrypted data from their victims, before encrypting the network and using the stolen data in a double-extortion tactic, where they threaten to release the data if the ransom is not paid.
The cybercriminal gang behind Clop ransomware attacks has come to the realization that unencrypted data can also be valuable in achieving their goals. The stolen data could contain personal information such as credit cards, social security numbers and government-issued identifications which many clients of a hacked organization may never want to have in public. Now with CCPA and GDPR regulations, if a cyber criminal has access to three pieces of data about your clients that allows them to personally identify an individual. Example: If I have the Full name, Address, and Phone number of John Smith of Denver, CO. You as the business owner are liable to protect this information.
Clop ransomware transmission
Clop ransomware attack primary mode of transmission is usually via spam and phishing emails, trojans and fake software updates. The spray and pray model of attack has also been the most effective method of attack for many years due to its ease of usage and gullibility of internet users.
However, the criminal gang behind the ransomware have also devised new ways of targeting top executives of their targeted organizations, whom they believe will have access to crucial data of the company or the organization. Their main goal is to extort as much money as possible as quickly as they can.
For a veterinary practice, a Clop ransomware attack would involve targeting the practice owner or the management’s computer systems. This would help them to gain the full attention of their targets and also gain access to sensitive information stored on the computers used by the top executives of the veterinary practice.
Clop ransomware attacks
Clop ransomware, which was first discovered in February 2019, and was believed to be a variant of Cryptomix malware has upped its attacks in the last few months, targeting organizations that they deemed were more likely to pay up the ransom. In October 2020, it became the first known ransomware to demand a ransom that was over $20 million after it targeted German tech firm Software AG. Since then, its frequency of attacks has only increased, and these are some of its latest attacks:
Bombardier Inc attack
Bombardier, one of the world’s largest business jets manufacturers with over 16,000 employees and a revenue of $6.5 billion, was targeted early this year by Clop ransomware.
The attack on Bombardier was a result of a supply chain attack, where the Accellion file transfer application was compromised exposing personal and confidential data of employees, customers and suppliers to cybercriminals.
Reports indicate that, after the Clop gang stole data from the company, they started contacting journalists through emails, informing them that they had been able to hack Bombardier Inc. They also leaked a small amount of data on their ransomware data leak website to exert more pressure on the company so that they can agree to pay them a ransom.
However, after the initial leaks by the cybercriminals, Bombardier Inc decided to come public with the information that their systems had been compromised, foiling the Clop ransomware gang’s plan of using blackmail to extort money.
Bombardier insisted that the company’s network was isolated from the Accellion FTA servers, hence the attackers were not able to get to critical parts of their infrastructure.
The attackers were also able to gain access to data from Kroger supermarket, Reserve Bank of New Zealand, and Office of the Washington State auditor through the Accellion FTA. All the data from these organizations was published online with some reports indicating that some companies had their data encrypted also.
Flagstar Bank was also compromised through a supply chain attack after their Accellion file transfer server was compromised earlier this year.
After months of not going public after the initial attack, the Clop ransomware gang started emailing their customers directly and notifying them that they had managed to compromise their data. Some of the data they had managed to take from the firm included social security numbers, their names and banking information.
Flagstar Bank had to come clean, as pressure mounted on them to reveal the extent of the data that the hackers had managed to steal. The hackers also exposed that bank former clients who no longer did business with the institution also had their data also stolen. The bank came clean and revealed that, although they had closed their accounts, they still had their information on the servers that had been compromised.
The cybercriminals were also able to leak the bank employees’ details, including their addresses, names and social security numbers on their website in a bid to put more pressure on the bank to pay them a ransom.
University of Colorado’s Accellion hack
After hacking the University of Colorado through a supply chain attack using Accellion, they emailed the university’s clients about the link and demanded $17 million for the attack to stop. However, the university, through the advice of the FBI decided not to pay the ransom, which resulted in their data being leaked online on the gang’s website.
The takeaway for veterinary practices
Practice owners should know that Clop ransomware attacks are not random. They are targeting organizations and institutions that they believe can pay them a ransom in exchange for their data.
Veterinary practices, just like other organizations that have been compromised, keep personal data of their clients such as their addresses and sometimes social security numbers in their systems. Therefore, they are not exempted from Clop ransomware attacks, and if that happens, they should be prepared to get their systems back up and notify their clients that they have been compromised.