What We Do
How we do it
Resources
TRU INTELLIGENCE CENTER
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
View Threat Intelligence Resources →
SECURITY ADVISORIES
Jun 01, 2023
Critical Vulnerability in MOVEit Transfer
THE THREAT eSentire is aware of reports relating to the active exploitation of a currently unnamed vulnerability impacting Progress Software’s managed file transfer software MOVEit Transfer.…
Read More
View all Advisories →
Company
ABOUT ESENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Mar 20, 2023
Exertis and eSentire Partner to Deliver 24/7 Multi-Signal MDR, Digital Forensics & IR Services and Exposure Management to Organisations Across the UK, Ireland, and Europe
Basingstoke, UK– 20 March, 2023. Leading technology distributor, Exertis, announced today that it has bolstered its cybersecurity services, adding eSentire, the Authority in Managed Detection and Response (MDR), to its Enterprise portfolio of offerings. eSentire’s award-winning, 24/7 multi-signal MDR, Digital Forensics & Incident Response (IR), and Exposure Management services will be available…
Read More
Partners
PARTNER PROGRAM
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
ECOSYSTEM PARTNER RESOURCES
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Search
Resources
Security advisories — Jun 16, 2021

Clop (Cl0p) Ransomware Gang Currently Claims 57 Victims on Leak Site, as Six Clop Gang Members Arrested in Ukraine Today

4 minutes read
Speak With A Security Expert Now

News broke earlier today that six members of the Clop (CIOp) Ransomware gang were arrested in Kiev, Ukraine and in surrounding towns earlier today by the Cyber Police Department of the National Police of Ukraine, working in cooperation with law enforcement officials from South Korea (the Republic of Korea) and the United States. eSentire’s security research team, the Threat Response Unit (TRU), confirmed the arrests from a report on the official website of the Ukrainian police. According to the police report, along with arresting the six members, the police seized a Tesla , a Mercedes, the equivalent of $185,000 USD in cash, as well as computer equipment. The report also states that the authorities were able to shut down the IT infrastructure (servers) used by the Clop group. The police report went on to state that the six persons arrested could face up to eight years in prison for their part in the ransomware schemes which are estimated to have caused $500 million in total damages.

As of 1 pm est, June 16, 2021, Clop’s leak/blog site is still up and running on the underground. On the site, they claim to have compromised 57 companies in total and 39 since January 1, 2021. Recent victims they claim to have compromised include a $3.3 billion pharmaceutical company out of India. This would not be off target for Clop since they hit ExecuPharm, a Pennsylvania-based subsidiary of the U.S. biopharmaceutical giant Parexel, in 2020. ExecuPharm provides clinical trial management tools for biopharmaceutical companies.

Clop also compromised multimillion dollar California company, Utility Trailer Manufacturing. It is one of the largest U.S. producers of trailers for the trucking industry. When listing Utility Trailer Manufacturing on their leak site in April, they offer as proof of the breach a variety of employee files containing sensitive data. Utility Trailer confirmed the breach. Clop also lists on their leak site the supermarket chain Foodland. According to one news outlet, an email was sent to Foodland customers stating: “buyers, partners, employees and owners of Foodland that confidential information such as names, addresses, social security numbers, phone numbers and email was stolen.” .” Lawyers for Foodland Supermarkets Ltd. issued an April 23, 2021, notification of a data breach due to a ransomware attack, which was said to have occurred on April 3, 2021. Foodland is Hawaii’s largest locally owned and operated grocery retailers. The chain has 33 stores and more than 2,600 employees. Interestingly, Clop claimed on their blog/leak site that Foodland was one of their victims, prior to Foodland going public with the news on April 23. The Clop gang also claims to have recently hit a regional law firm out of Maryland.

The Clop attacks began in February 2019 and rose to prominence in October 2020, when the Clop operators became the first group to demand a ransom of more than $20 million dollars. The victim, the German tech firm Software AG, refused to pay.

Several of Clop’s 2021 victims are reported to be the result of the supply chain attack against Accellion, a company that provides a file transfer application to companies around the world. It is not known if the Clop gang was behind the cyberattack against Accellion or if the Clop operators were given access to the data by the Accellion hackers. However, it is very interesting how this particular ransomware gang got access to the data of so many customers of Accellion. Clop claims to have gotten their hands on data from Dutch oil giant Royal Shell, security company Qualys, U.S. bank Flagstar, global law firm Jones Day, University of Colorado, University of Miami, Canadian jet manufacturer Bombardier, Stanford University, and the University of California, among others.

In early April 2021, Clop threat actors tried to extort RaceTrac Petroleum, another Accellion victim. RaceTrac is an Atlanta-based company that operates more than 650 retail gasoline convenience stores in 12 southeastern states. According to a statement made on RaceTrac’s website, the Clop threat actors gained access to some of the company’s Rewards Loyalty users’ data: “By exploiting a previously undetected software vulnerability, unauthorized parties were able to access a subset of RaceTrac data stored in the Accellion File Transfer Service, including email addresses and first names of some of the company’s RaceTrac Rewards Loyalty users.”

“We feel that the Clop ransomware gang is particularly lethal because not only do they encrypt companies and organization’s critical data, causing many to temporarily shut down their operations, but they go to great lengths to extort ransom payments from their victims by notifying the victim company’s customers, partners and employees of the breach and by publishing sensitive data of the victim company’s employees, such as driver’s licenses, passports, correspondence containing mailing addresses, annual salaries, etc.,” said Rob McLeod, Sr. Director of the TRU team. “Any threat actor can go down to the underground and view these documents on the Clop website, and potentially use this sensitive data for their own cyber scams.”

Clop made headlines in 2021 for their tactic of culling through victims’ stolen data and retrieving contact information for the company’s customers and partners, then emailing them urging them to make the victim company pay the ransom. Clop operators’ emails typically say that the recipient is being contacted because they are a customer of the victim organization, and their personal data, including phone numbers, email addresses, and financial information, will soon be leaked on a Dark Web site if the company does not pay the ransom. The note below was published by security reporter Brian Krebs and is said to be a message sent to a RaceTrac rewards member. (See image 1.)

Image 1: Note from the Clop ransomware gang to a member of the RaceTrac rewards club.

For more information about this threat and how to protect against it go to https://www.esentire.com/get-started

View Most Recent Blogs