Clop Ransomware Gang Uses Torrents to Leak Stolen Data

The Clop ransomware syndicate has initiated a novel approach by making pilfered data from MOVEit attacks accessible through torrents, as recent reports indicate.

Security analyst Dominic Alvieri disclosed this development on Twitter, sharing screenshots that spotlight several prominent victims whose compromised information is now being circulated through peer-to-peer (P2P) sharing networks.

Notable names among the roster of affected entities include Putnam, an investment firm; Iron Bow Technologies, a technology company; Delaware Life, an insurance company; as well as Aon, Zurich Brazil, and United Healthcare Student Resources, all prominent entities within their respective domains.

The decision by the Clop group to utilize torrents for disseminating data could stem from the recognition that extensive data dumps often suffer from sluggish download speeds, which ultimately diminishes the value gained by threat actors when they share the information on leak platforms.

In a bid to streamline the process, the group has thoughtfully provided step-by-step guidance on utilizing torrent clients, accompanying details related to approximately 20 compromised organizations.

This maneuver is not the first instance where Clop has experimented with innovative approaches to enhance the accessibility of their ill-gotten data. They have previously established surface-level websites tailored to specific breached organizations, such as PwC.

Ransomware groups continually explore fresh avenues to elevate their reputation and capitalize on their attacks. Another area of focus for them is devising strategies to notify their victims about the breaches.

Who is the Clop Ransomware Group?

The Clop ransomware group is a notorious cybercriminal organization known for conducting high-profile ransomware attacks against various targets, including corporations, institutions, and government entities. The group gained prominence for its advanced techniques, aggressive tactics, and large-scale extortion campaigns.

Here are some key points about the Clop ransomware group:

Origins: The Clop group is believed to have emerged in the mid-2010s. However, its activities became more widely recognized in recent years due to its involvement in high-profile attacks.

Ransomware Operations: The group employs ransomware to encrypt victims' files and systems, rendering them inaccessible until a ransom is paid. They often demand substantial amounts of cryptocurrency in exchange for a decryption key.

Targeted Sectors: Clop primarily targets organizations in sectors such as finance, healthcare, technology, and critical infrastructure. Their attacks have affected companies worldwide.

Leak Site: One of Clop's distinctive tactics is its use of "leak sites." After encrypting a victim's data, the group threatens to release sensitive information if the ransom is not paid. They publish a portion of the stolen data on these websites to pressure victims into compliance.

Double Extortion: Clop is known for adopting a "double extortion" strategy. This involves not only encrypting victims' data but also stealing it before encryption. If the victim refuses to pay the ransom, the group threatens to release the stolen data, potentially causing reputational and legal damage.