Introduction
Fraudsters are exploiting the reputation of the Clop ransomware gang, operated by the cybercriminal group TA505 [4], to deceive businesses into paying ransoms by falsely claiming data theft. This tactic involves impersonating the gang and exploiting vulnerabilities in managed file transfer (MFT) software, posing significant risks to organizations.
Description
Fraudsters are impersonating the Clop ransomware gang [1] [2] [3] [5] [6], operated by the cybercriminal group TA505 [4], to extort businesses by falsely claiming to have stolen sensitive data [2] [3]. They exploit vulnerabilities in managed file transfer (MFT) software [3] [4] [6], specifically targeting the firm Cleo and the MOVEit Transfer platform, which has been associated with significant data breaches affecting high-profile victims such as the BBC, British Airways [4], and Ernst & Young [4]. Recent campaigns have highlighted the exploitation of CVE-2023-34362 in MOVEit Transfer and two critical vulnerabilities in Cleo’s software: CVE-2024-50623 and CVE-2024-55956, both rated 9.8 out of 10 in severity [7]. These vulnerabilities allow attackers to remotely execute commands on affected systems [7], enabling unauthorized access to victim networks and the ability to download sensitive information without traditional file encryption. In one incident, attackers exploited a vulnerability in Cleo [2] [3], gaining access to a victim company’s network and downloading data from their servers [2].
In their fraudulent extortion emails, attackers assert that they have exfiltrated data [6], often referencing media coverage of actual Clop ransomware attacks to enhance their credibility [5]. These emails typically warn that failure to pay the ransom will result in the publication of the stolen data on Clop’s official blog and provide multiple contact email addresses for negotiation [3]. However, these communications usually lack critical elements associated with genuine Clop extortion demands [6], such as a 48-hour payment deadline and links to secure chat channels for ransom negotiations [2] [5]. The absence of these elements strongly suggests that the communication is a scam, as researchers have noted that such discrepancies indicate a likely fraudulent attempt.
Organizations must prioritize vulnerability management and patching [4], particularly for internet-facing systems and file transfer software [4], to defend against Clop ransomware [4]. Specific recommendations include applying official patches for MOVEit Transfer and GoAnywhere MFT [4], monitoring for indicators of compromise [4], and auditing administrative accounts [4]. Regular vulnerability assessments and rapid patching are essential to mitigate the risks associated with Clop’s evolving tactics [4], which can lead to significant operational disruptions, financial losses [4], and regulatory fines [4]. The ongoing threat from impersonators and the original Clop group necessitates heightened vigilance and proactive security measures.
Conclusion
The impersonation of the Clop ransomware gang by fraudsters underscores the critical need for organizations to enhance their cybersecurity measures. By focusing on vulnerability management, applying timely patches [4], and conducting regular security assessments, businesses can mitigate the risks posed by both genuine and fraudulent ransomware threats. As cybercriminal tactics continue to evolve, maintaining a proactive and vigilant security posture is essential to safeguard sensitive data and ensure operational resilience.
References
[1] https://thecyberwire.com/podcasts/daily-podcast/2265/transcript
[2] https://ciso2ciso.com/fraudsters-impersonate-clop-ransomware-to-extort-businesses-source-www-infosecurity-magazine-com/
[3] https://undercodenews.com/fraudsters-imitate-clop-ransomware-to-extort-businesses/
[4] https://thesecmaster.com/blog/clop-ransomware
[5] https://www.cyware.com/resources/threat-briefings/daily-threat-briefing/cyware-daily-threat-intelligence-march-14-2025
[6] https://www.infosecurity-magazine.com/news/fraudsters-clop-ransomware-extort/
[7] https://www.digit.fyi/february-2025-was-the-worst-month-in-ransomware-history/
