The Clop ransomware group [1] [2] [3] [4], known for its high level of activity in cybercrime, has recently changed its tactics by using torrents to leak corporate data. This new approach allows for faster downloads and makes it harder for intelligence agencies to track the data.
Description
Security researcher Dominic Alvieri shared screenshots on Twitter revealing that big-name victims’ data [1], including Landal GreenParks and Aon [2], is now being made available through P2P sharing [1]. The use of torrents is likely due to the fact that large data dumps can be slow to download on leak sites. So far [2], twenty victims have had their data leaked via torrents [2]. Clop is responsible for 40 percent of all ransomware attacks in June and commonly targets government entities, healthcare institutes [2], and the banking sector [2]. The group is associated with the LockBit ransomware, which has also targeted the major Japanese port of Nagoya [2]. In addition to this new tactic, Clop has previously experimented with making stolen data more accessible by creating surface web sites for specific breached organizations [1]. In a recent MOVEit attack, over 200 organizations were impacted, although the extent of the impact is unclear [2]. Clop compromised hundreds of victims by exploiting a zero-day bug in the MOVEit managed file transfer software [1], impacting millions of end users [1]. Some of the organizations affected include K & L Gates, Putnam [1] [3], Delaware Life [1] [3], Zurich Brazil [1] [3], and Heidelberg [3]. Another recent tactic employed by ransomware groups, including Clop [3], involved hijacking a university’s mass alert system to pressure staff and students to lobby for payment [1]. It is worth noting that a government contractor in Virginia, Maximum [1], admitted that between eight and 11 million individuals may have had their personal information compromised in the campaign [1]. The adoption of torrents by Clop for distributing stolen data from MOVEit attacks has proven successful, offering faster transfer speeds and decentralized distribution capabilities that make it difficult for law enforcement to shut them down. Given these advantages, it is likely that Clop will continue to use torrents for future data leaks.
Conclusion
The use of torrents by the Clop ransomware group has had significant impacts. It allows for faster downloads and makes it harder for intelligence agencies to track the data. The adoption of this tactic has proven successful, offering faster transfer speeds and decentralized distribution capabilities. This makes it difficult for law enforcement to shut down the distribution of stolen data. It is likely that Clop will continue to use torrents for future data leaks, posing ongoing challenges for cybersecurity and law enforcement agencies.
References
[1] https://www.infosecurity-magazine.com/news/clop-gang-offers-data-downloads/
[2] https://www.techzine.eu/news/security/109729/moveit-hackers-now-leak-data-through-torrents/
[3] https://satproviders.com/news/clop-ransomware-now-uses-torrents-to-leak-data-and-evade-takedowns/160881/
[4] https://cyber.vumetric.com/security-news/2023/08/05/clop-ransomware-now-uses-torrents-to-leak-data-and-evade-takedowns/
