Ransomware is a significant cybersecurity threat. Attackers use malicious software to encrypt files, making them unreachable until the victim pays a ransom.
Cl0p is one such malicious software. It has grown in popularity over the last few years after a threat group using the software targeted large corporations worldwide. Most recently, the threat group infiltrated the MOVEit transfer service, compromising sensitive data belonging to millions.
Businesses must watch out for Cl0p ransomware because the software is popular in the ransomware-as-a-service (RaaS) niche. Other threat actors commission attacks using it.
According to Microsoft’s Threat Intelligence Team, Lace Tempest is one of such threat actors currently targeting organizations with the Cl0p ransomware.
SysAid has confirmed that the group is abusing a zero-day flaw to deploy the Cl0p ransomware encryptor.
The attack comes in multiple stages, starting with the upload of a WAR archive holding a WebShell and other payloads into the webroot of the SysAid Tomcat web service. The attack ends with ransomware and a Cobalt Strike beacon.
How the Cl0p Ransomware Affects Victims
Cl0p ransomware spreads through exploit kits, phishing emails, and other vulnerabilities in software and systems like those highlighted by SysAid. Once inside the system, it will encrypt documents, databases, images, videos, and more. It uses a strong encryption algorithm to ensure you can’t access the files without using a unique decryption key.
The threat group responsible for deploying the ransomware leaves ransom notes in HTML documents of .txt files with instructions on how to pay them. They often threaten to release data on dark web leak sites if victims fail to listen to their demands.
Fixing the SysAid Exploit
To prevent Cl0p ransomware attacks through the SysAid Tomcat web service, SysAid urges users to update their on-premise software to version 23.3.36. The update eliminates the path traversal flaw, preventing the ransomware installation.
Additionally, users must conduct a comprehensive compromise assessment of their network to rule out possible compromise.
Other Ways Businesses Owners Can Prevent Ransomware Attacks
According to the Ransomware Taskforce, small businesses are the victims of 70% of ransomware attacks. Business owners must be more proactive to prevent data leaks and avoid becoming a part of the statistics. Below are some top ways businesses can avoid ransomware attacks:
- Keep all software up to date to ensure protection against non-zero-day exploits.
- Implement a layered security policy featuring a combination of anti-malware software, antivirus software, spam filters, a firewall, and a cloud data loss prevention protocol.
- Use the principle of least privilege (PoLP) to manage access to critical business information.
- Conduct regular awareness training to reduce the risk of insider threats due to human error and negligence.
- Enforce strong password requirements and a multifactor authentication protocol.
- Enforce strict verification protocols for all email senders.
- Watch out for Cl0p ransomware (and other known ransomware) communication in your network.
Threat groups, such as those behind Cl0P, continue to look for new ways to run a ransomware attack against businesses. However, patching up vulnerabilities and deploying other ransomware evasion protocols can help keep them at bay.
