The Week in Ransomware – June 9th 2023 – It’s Clop… Again!

The week was dominated by fallout over the MOVEit Transfer data-theft attacks, with the Clop ransomware gang confirming that they were behind them.

On Monday, Microsoft was the first to attribute the attacks to the Clop ransomware operation, followed by the threat actors that they started exploiting servers on May 27th.

After analyzing historic telemetry, Kroll security experts also found that the Clop gang likely tested the MOVEit Transfer zero-day since 2021 in limited attacks.

As expected, we are just starting to see the fallout from the attacks, with victims coming forward with announcements and data breach notifications.

The companies that have disclosed MOVEit Transfer breaches so far are listed below:

  • Zellis – Their breach also impacted eight companies, including BBC, Aer Lingus, Boots, and British Airways.
  • University of Rochester
  • Government of Nova Scotia
  • Extreme Networks
  • US state of Illinois
  • Minnesota Department of Education (MDE)

In other news, the Royal Ransomware gang has begun to test a new BlackSuit encryptor in limited attacks. As this is a self-contained ransomware operation with its own encryptor, Tor negotiation site, and data leak site, it’s unclear how they plan on using BlackSuit in the future.

Other research released this week is on the new ransomware variants called Cyclops and Xollam.

There was an interesting development regarding Rhysida’s ransomware attack on the Chilean army, with an Army corporal arrested for alleged involvement.

We also saw an attack on Japanese pharmaceutical company Eisai and Australia’s largest commercial law firm, HWL Ebsworth, refusing to give into ALPHV’s extortion demands.

Finally, we would be remiss for not sharing the excellent map of ransomware operations created by CERT Orange Cyberdefense threat intelligence researcher Marine Pichon.

Contributors and those who provided new ransomware information and stories this week include:

June 4th 2023

CISA orders govt agencies to patch MOVEit bug used for data theft

CISA has added an actively exploited security bug in the Progress MOVEit Transfer managed file transfer (MFT) solution to its list of known exploited vulnerabilities, ordering U.S. federal agencies to patch their systems by June 23.

Rhysida ransomware group claims attack on Martinique

DataBreaches did not review all of the files leaked by the Rhysida ransomware group, but as the screencap of just a small portion of the file listing suggests, they do appear to be government-related files. Unlike other groups that often provide a brief summary of what kinds of files they are leaking, Rhysida offers no information on the size of the data leak or its contents.

June 5th 2023

Microsoft links Clop ransomware gang to MOVEit data-theft attacks

Microsoft has linked the Clop ransomware gang to recent attacks exploiting a zero-day vulnerability in the MOVEit Transfer platform to steal data from organizations.

Clop ransomware claims responsibility for MOVEit extortion attacks

The Clop ransomware gang has told they are behind the MOVEit Transfer data-theft attacks, where a zero-day vulnerability was exploited to breach servers belonging to “hundreds of companies” and steal data.

A martial hacker: PDI detains an Army corporal for cyber attack on the internal networks of the military institution

This is related to the Rhysida ransomware attack on Chilean military.

According to sources in the case, a series of electronic devices were seized from the soldier, which are now being examined by detectives. He was prosecuted for the crime of infringing the computer crime law, and after that he was in preventive detention.

Cyclops Ransomware and Stealer Combo: Exploring a Dual Threat

The Cyclops group is particularly proud of having created ransomware capable of infecting all three major platforms: Windows, Linux, and macOS. In an unprecedented move, it has also shared a separate binary specifically geared to steal sensitive data, such as an infected computer name and a number of processes. The latter targets specific files in both Windows and Linux.

New Dharma ransomware variants

PCrisk found new Dharma ransomware variants that append the .NBR and .thx extensions.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .nerz.neon, and .neqp extensions.

June 6th 2023

Xollam, the Latest Face of TargetCompany

After first being detected in June 2021, the TargetCompany ransomware family underwent several name changes that signified major updates in the ransomware family, such as modifications in encryption algorithm and different decryptor characteristics.

June 7th 2023

CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability

According to open source information, beginning on May 27, 2023, CL0P Ransomware Gang, also known as TA505, began exploiting a previously unknown SQL injection vulnerability (CVE-2023-34362) in Progress Software’s managed file transfer (MFT) solution known as MOVEit Transfer.

June 8th 2023

Royal ransomware gang adds BlackSuit encryptor to their arsenal

The Royal ransomware gang has begun testing a new encryptor called BlackSuit that shares many similarities with the operation’s usual encryptor.

Clop ransomware likely testing MOVEit zero-day since 2021

The Clop ransomware gang has been looking for ways to exploit a now-patched zero-day in the MOVEit Transfer managed file transfer (MFT) solution since 2021, according to Kroll security experts.

An amazing map the ransomware ecosystem and its evolution

Marine Pichon put together an amazing, and likely painstaking, map illustrating the ransomware operations and the groups they are affiliated with. Well worth taking a look.

Japanese pharma giant Eisai discloses ransomware attack

Pharmaceutical company Eisai has disclosed it suffered a ransomware incident that impacted its operations, admitting that attackers encrypted some of its servers.

New Dharma variant

PCrisk found a new Dharma ransomware variant that appends the .mono extension.

June 9th 2023

BlackCat ransomware fails to extort Australian commercial law giant

Australian law firm HWL Ebsworth confirmed to local media outlets that its network was hacked after the ALPHV ransomware gang began leaking data they claim was stolen from the company.

University of Manchester says hackers ‘likely’ stole data in cyberattack

The University of Manchester warns staff and students that they suffered a cyberattack where threat actors likely stole data from the University’s network.

That’s it for this week! Hope everyone has a nice weekend!

NOTE:: This article is copyright by and we are using it for educational or Information purpose only

The Best Ransomware Protection