Search This Blog

Showing posts with label Clop Ransomware. Show all posts

BCPS Hit by Conti Ransomware Gang, Hackers Demanded $40 Million Ransom

 

Several weeks ago, the Conti ransomware gang encrypted the systems at Broward County Public Schools and took steps to release sensitive personal information of students and staff except if the district paid a colossal $40 million ransom. Broward County Public Schools, the country's 6th biggest school district with an annual budget of about $4 billion, enlightened parents about a network outage on March 7 that adversely affected web-based teaching, but dependent on this new data, the incident was unmistakably much more serious. 

First reported by DataBreaches.net, the hackers took steps to disclose a huge trove of personal information, including the social security numbers of students, teachers, and employees, addresses, dates of birth, and school district financial contact information. "Upon learning of this incident, BCPS secured its network and commenced an internal investigation,” the statement continued. “A cybersecurity firm was engaged to assist. BCPS is approaching this incident with the utmost seriousness and is focused on securely restoring the affected systems as soon as possible, as well as enhancing the security of its systems." 

The hackers published screenshots of a text message from mid-March between them and a district official — clearly a negotiation for the hackers to deliver the documents back to the district. 

“The good news is that we are businessmen,” the text message from the hackers said. “We want to receive ransom for everything that needs to be kept secret, and don’t want to ruin your reputation. The amount at which we are ready to meet you and keep everything as collateral is $40,000,000.” 

After weeks of negotiations, the hackers in the end brought the proposal down to $10 million. Under district policy, that sum is the maximum it can pay without school board approval. 

Broward County's case was one of a few ransomware assaults that hit educational institutions in the past two weeks. The Clop ransomware gang was very active, with reported cases influencing the University of Maryland, Baltimore Campus (UMBC); the University of California, Merced; the University of Colorado; and the University of Miami. Jamie Hart, cyber threat intelligence analyst at Digital Shadows noticed that these assaults were led by the Clop gang and were targeted as a part of the Accellion FTA breach.

Cyberextortion Threat Evolves as Clop Ransomware Attacked 6 U.S Universities Data Security

 


Malicious actors are now using novel ways to extract universities' data, and are threatening to share stolen data on dark websites unless universities pay them a lot of money. 
The current update reads that the Clop ransomware group claimed to have access to six top universities of the United States including institutions’ financial documents information and passport data belonging to their staff and students. According to the report, a group of hackers has first posted the stolen data online on March 29. 

The universities' that have been attacked, include — The University of Miami, the Yeshiva University, the University of Maryland, the Stanford University, the University of Colorado Boulder, And the University of California, Merced. 

However, there is no official confirmation regarding this cyber-attack from any of the aforementioned universities, it's unsure whether or not the cyberinfrastructure of these universities has been attacked or the hacker group asked for money in exchange for data. 

Additionally, a few days back, Michigan State University also confirmed a cyber attack by a group that was threatening to share it on the dark websites unless a bounty is paid. 

The data stolen by the Clop ransomware group include federal tax documents, passports, requests for tuition remission paperwork, tax summary documents, and applications for the Board of Nursing. 

This data breach affected several individuals and staff of the universities as the shared information also exposed sensitive credentials, such as names of individuals, date of birth, photos, home addresses, immigration status, passport numbers, and social security numbers. 

Not only this, but some news websites also confirmed that the leaked data included several more screenshots including retirement documentation, and 2019/2020 benefit adjustment requests, late enrollment benefit application forms for employees, and the UCPath Blue Shield health savings plan enrollment requests, amid much more. 

It should be noted that such attacks are not unusual for the Clop ransomware group as the group is known for its assault against various organizations. Furthermore, Michigan State University’s officials stated in the regard that, “Payment to these criminals only allows these crimes to be perpetuated and further target other victims. The decision not to pay was in accordance with law enforcement guidance and reached with support from the university’s Board of Trustees and president”.

Shell’s Employees’ Visas Dumped Online as part of Extortion Attempt

 



Royal Dutch Shell became the latest corporation to witness an attack by the Clop ransomware group. The compromised servers were rebuilt and brought into service with a new Accellion security patch; the security patch eliminates the vulnerabilities and enhances security controls to detect new attacks and threats. 

"A cyber incident impacted a third-party, Accellion, software tool called the File Transfer Appliance (FTA) which is used within Shell," stated Shell spinner. In a statement last week, Shell confirmed that it too was affected by the security incident but it has only affected the Accellion FTA appliance which is used to transfer large data files securely by the company. 

In an attempt to bribe the company into paying a ransom, the criminals behind the malware have siphoned sensitive documents from a software system used by Shell and leaked some of the data online, including a set of employees' passports and visa scans. The idea being that once the ransom is paid, no further information will be released into the public domain. 

As stated by Shell, the data accessed during a “limited window of time” contained some personal data together with data from Shell companies and some of their stakeholders. The company to downplay the impact stated that “there is no evidence of any impact to Shell’s core IT systems,” and the server accessed was “isolated from the rest of Shell’s digital infrastructure.” But it did acknowledge that the crooks had probably grabbed “some personal data and data from Shell companies and some of their stakeholders.” 

Previously this month, files from infosec outfit Qualys, including purchase orders, appliance scan results, and quotations also surfaced on the extortionists' hidden site. Other victims include Canadian aerospace firm Bombardier, which had details of a military-grade radar leaked, London ad agency The7stars, and German giant Software AG.

The group has now posted several documents to its Tor-hidden website, including scans of supposed Shell employees' US visas, a passport page, and files from its American and Hungarian offices, in order to persuade Shell to compensate the hackers and prevent more stolen data from leaking. 

According to BleepingComputer, to stack up the pressure, the Clop gang now e-mails its victims' to warn them that the data is stolen and will be leaked if a ransom is not paid.

Data From These Two Universities Stolen and Published Online by Clop Ransomware Group

 

The Clop ransomware group has officially published online the grades and social security numbers for students at the University of Colorado and the University of Miami. 

From December, threat agents related to the Clop Ransomware Group had started to attack Accellion FTA servers and steal the data stored on their servers. These servers are used by companies to exchange confidential files and information with non-organizational people. The ransomware gang approached the companies and asked for $10 million in bitcoins and if the demand is not fulfilled then they would publish the stolen information on the internet. 

Since February, the team of Clop Ransomware has started to publish the compromised files that were stolen due to the flaws in the Accellion FTA file-sharing servers. Later this week the Clop Ransomware Gang began posting screenshots of compromised files from the Accellion FTA server that is used by Miami University and Colorado University. In February, Colorado University (CU) revealed a cyberattack that mentioned that the threat actors had stolen data through a vulnerability of Accellion FTA. 

The actors behind the Clop ransomware have started to post compromised data screenshots, including university files, university grades, academic records, registration details, and biographical information of students. 

While the University of Miami did not report any data breach, it used a protected 'SecureSend' file sharing program that had since been shut down. "Please be advised that the secure email application SecureSend (secure.send.miami.edu) is currently unavailable, and data shared using SecureSend is not accessible," reads the University's SecureSend page. 

Although the University of Miami never confirmed a security incident, still screenshots of patient information were released by the Clop ransomware operation. This information covers medical history, demographic analyses, and telephone numbers and email addresses. The data supposedly robbed from the University of Miami belongs to the patients of the health system of the University. 

"While we believe based on our investigation to date that the incident is limited to the Accellion server used for secure file transfers, we continue to enhance our cybersecurity program to further safeguard our systems from cyber threats. We continue to serve our University community consistent with our commitment to education, research, innovation, and service," the University of Miami wrote. 

The ransomware gang has only published few screenshots at this time but is likely to release more documents to force victims to pay in the future.