Jump to content
  • Clop ransomware now uses torrents to leak data and evade takedowns


    Karlston

    • 676 views
    • 3 minutes
     Share


    • 676 views
    • 3 minutes

    The Clop ransomware gang has once again altered extortion tactics and is now using torrents to leak data stolen in MOVEit attacks.

     

    Starting on May 27th, the Clop ransomware gang launched a wave of data-theft attacks exploiting a zero-day vulnerability in the MOVEit Transfer secure file transfer platform.

     

    Exploiting this zero-day allowed the threat actors to steal data from almost 600 organizations worldwide before they realized they were hacked.

     

    On June 14th, the ransomware gang began extorting its victims, slowly adding names to their Tor data leak site and eventually publicly releasing the files.

     

    However, leaking data via a Tor site comes with some drawbacks, as the download speed is slow, making the leak, in some cases, not as damaging as it could be if it was easier to access the data.

     

    To overcome this, Clop created clearweb sites to leak stolen for some of the MOVEit data theft victims, but these types of domains are easier for law enforcement and companies to take down.

    Moving to torrents

    As a new solution to these issues, Clop has begun to use torrents to distribute data stolen from MOVEit attack.

     

    According to security researcher Dominic Alvieri, who first spotted this new tactic, torrents have been created for twenty victims, including Aon, K & L Gates, Putnam, Delaware Life, Zurich Brazil, and Heidelberg.

     

    As part of this new extortion method, Clop has set up a new Tor site providing instructions on how to use torrent clients to download the leaked data and lists of magnet links for the twenty victims.

     

    torrent-list.jpg

    List of available Clop torrentsSource: BleepingComputer

     

    As torrents use peer-to-peer transfer among different users, the transfer speeds are faster than the traditional Tor data leak sites.

     

    In a brief test by BleepingComputer, this method resolved the poor data transfer issues, as we were receiving 5.4 Mbps data transfer speeds, even though it was only seeded from one IP address in Russia.

     

    Furthermore, as this distribution method is decentralized, there is no easy way for law enforcement to shut it down. Even if the original seeder is taken offline, a new device can be used to seed the stolen data as necessary.

     

    If this proves successful for Clop, we will likely see them continue to utilize this method to leak data as it’s easier to set up, does not require a complex website, and may further pressure victims due the increased potential for broader distribution of stolen data.

     

    Coveware says Clop is expected to earn $75-$100 million dollars in extortion payments. Not because many victims are paying but because the threat actors have successfully convinced a small number of companies to pay very large ransom demands.

     

    Whether or not the use of torrents will lead to more payments is yet to be determined; however, with these earnings, it may not matter.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...