Cl0p Ransomware Gang Tries to Topple the House of Cards

When I wrote the introduction for our recent report Organizations at Risk: Ransomware Attackers Don’t Take Holidays, I described current factors and trends with the potential to disrupt the upcoming holiday season. 

“Combine that with a fragile economy, struggling supply chain logistics, and the likelihood of a significant ransomware attack during the upcoming holidays and we have a house of cards scenario that could collapse if anything bumps the proverbial table.”

The Clop ransomware gang just tried to bump the table.

Struggling Supply Chain

Swire Pacific Offshore (SPO) reported that it suffered a ransomware attack, and where the attackers were able to compromise sensitive employee information. The Cl0p ransomware gang claimed responsibility and shared screenshots of some of the data as verification. The world is struggling to address shipping and supply chain issues, so an attack on a shipping company could potentially have a tragic ripple effect.

Cl0p Ransomware Gang

We have been monitoring the Cl0p ransomware gang since 2020, so we are very familiar with how the group operates. It seems that SPO’s compromised data was exfiltrated primarily from email archives—which fits with their history of targeting vulnerable Microsoft Exchange Servers. 

The Cl0p ransomware gang was the focus of a 30-month international investigation dubbed “Operation Cyclone” that resulted in 20 raids across Ukraine after the group targeted E-Land in a two-pronged combination point-of-sale malware and ransomware attack. The fact that the group survived that scrutiny and is still active indicates that the main members were not caught in those raids. They are most likely based in Russia—which has a history of tacitly supporting cybercriminals with state-condoned and state-ignored attacks. 

To Pay or Not to Pay?

Thankfully, it seems like the house of cards will survive this attack. The company stated that no confidential company data was compromised or exposed, and the attack failed to have any material impact on operations. Shipping and the supply chain should not be affected by this attack. 

Of course, that doesn’t help the employees who had sensitive personal data stolen or exposed. We don’t know if SPO has been able to restore data from backups, or whether they are negotiating to reduce the ransom demand or perhaps have already paid the ransom to prevent any further leaking of employee data. 

The question of whether to pay or not pay a ransom is difficult. It may seem expedient to simply pay the ransom and get back to business as usual, but it’s not that simple. It’s not a good idea to pay a ransom unless not doing so risks human life, public safety or is existential threat to the survival of the company. We shared results of research earlier this year that revealed that nearly half of organizations that pay a ransom are still unable to recover all of their data. We also discovered that 80 percent of companies that admitted paying a ransom were hit a second time—often by the same ransomware gang.

The cooperation between ally nations and between the public and private sector is encouraging, and will help bring cybercriminals to justice. With countries like Russia providing safe harbor, though, that is still a significant challenge. It also doesn’t directly help organizations that are victims of ransomware attacks, or do anything to protect you from being the next victim. 

You can expect that ransomware gangs will be putting in overtime during the remaining holidays this year to try and topple that house of cards. You need to have the right tools in place to detect and stop ransomware before your data is encrypted, and make sure you have a specific plan in place to quickly and effectively respond to a ransomware attack over a weekend or holiday. 

Lior Div
About the Author

Lior Div

Lior Div, CEO and co-founder of Cybereason, began his career and later served as a Commander in the famed Unit 8200. His team conducted nation-state offensive operations with a 100% success rate for penetration of targets. He is a renowned expert in hacking operations, forensics, reverse engineering, malware analysis, cryptography and evasion. Lior has a very unique perspective on the most advanced attack techniques and how to leverage that knowledge to gain an advantage over the adversary. This perspective was key to developing an operation-centric approach to defending against the most advanced attacks and represents the direction security operations must take to ensure a future-ready defense posture.

All Posts by Lior Div