Clop was responsible for one-third of all ransomware attacks in July, positioning the financially-motivated threat actor to become the most prolific ransomware threat actor this summer, according to multiple threat intelligence reports.
Clop’s mass exploit of a zero-day vulnerability in the MOVEit file transfer service rapidly catapulted the group to the head of the global ransomware threat actor pack.
Clop was responsible for 171 of the 502 ransomware attacks observed by NCC Group in July, the firm said Tuesday. Clop’s activities were likely responsible for an overall 16% increase in ransomware attacks from the previous month, according to NCC Group.
Of the 515 ransomware attacks observed by Flashpoint in July, Clop was responsible for 169 victims.
Clop was responsible for at least double and likely triple the amount of attacks carried out by Lockbit, its next closest competitor in criminal ransomware activities in July, according to Flashpoint and NCC Group.
“Many organizations are still contending with the impact of Clop’s MOVEit attack, which goes to show just how far-reaching and long-lasting ransomware attacks can be — no organization or individual is safe,” Matt Hull, global head of threat intelligence at NCC Group, said in a statement.
“This campaign is particularly significant given that Clop has been able to extort hundreds of organizations by compromising one environment,” Hull said. “Not only do you need to be vigilant in protecting your own environment, but you must also pay close attention to the security protocols of the organizations you work with as part of your supply chain.”
The subsequent reach and potential exposure caused by Clop’s attacks against organizations in highly sensitive and regulated industries is vast. The number of downstream victims is not yet fully realized.
Colorado State University was hit six times, six different ways. Three of the big four accounting firms — Deloitte, Ernst & Young and PwC — have been hit too, putting the sensitive customer data they maintain at risk.
Clop was responsible for just 12% of the more than 1,500 ransomware attacks observed by Rapid7 during the first half of the year. The figure accentuates the rapid increase in attacks fueled by Clop’s spree targeting MOVEit customers.
MOVEit’s parent company Progress Software disclosed and issued a patch for the zero-day vulnerability on May 31. Massive active exploits of the vulnerability were already underway.