March ransomware disclosures spike behind Clop attacks

The Clop ransomware group was busy last month, claiming responsibility for attacks against several prominent companies such as Rubrik, Saks Fifth Avenue and Procter & Gamble.

TechTarget Editorial's 2023 ransomware database tracks monthly U.S. ransomware activity and trends based on public disclosures, confirmed media reports, and data breach notifications submitted to state and federal government agencies.

While the number of attacks increased slightly from February to March, which saw 22 total disclosures and confirmed attacks, many of the victims were related to Clop ransomware attacks that exploited a zero-day vulnerability in Fortra's GoAnywhere managed file transfer software.

First observed in 2019, the Russian-linked ransomware group has been known for double extortion tactics that it used in an attack against German-based Software AG in 2020. Unlike past activity, the group did not appear to deploy ransomware or encrypt data in the GoAnywhere attacks, which highlights an evolution in ransomware extortion tactics. Instead, operators behind Clop relied on its public data leak site to pressure victims into paying.

Hatch Bank and Rubrik were two of the first victims to confirm that they suffered a ransomware attack earlier last month related to the Fortra GoAnywhere zero-day vulnerability. The cybersecurity vendor's disclosure came right after Clop added Rubrik to its extortion site.

Since then, many more high-profile companies disclosed attacks stemming from the Fortra zero-day flaw. While none of the victims reported that its data or systems had been encrypted, the attacks led to the thefts of sensitive data. Other victims that have issued public disclosures include Tennessee-based Community Health Systems, U.S. Wellness, Blue Shield of California, Saks Fifth Avenue and Procter & Gamble. However, threat researchers have reviewed Clop's data leak site, which shows many more big-name victims.

Clop wasn't the only ransomware group active with its extortion site last month. Vice Society, which notoriously targets the education sector, claimed responsibility for an attack against Oregon-based Lewis & Clark College in late March, according to The Record. In addition, the Royal ransomware gang added Savannah Technical College to its data leak site.

While the colleges did not confirm that ransomware was involved, Lewis & Clark issued several urgent messages through social media regarding "widespread server outages impacting all three campuses." Similarly, Savannah Technical College released an important announcement on an "extended Internet Outage."

The BianLian ransomware gang listed the city of Waynesboro, Va., on its data leak site earlier this month and claimed to have stolen criminal investigation files and employee personal data. Two days after BianLian threatened to leak the city's stolen data, NBC29 reported that Mike Hamp, Waynesboro city manager, confirmed that it was notified of a potential cyber attack in January.

Lastly, the LockBit ransomware group took credit for a March 6 attack against Staples-owned office wholesale distributor Essendant. In a security incident statement, which has been continually updated, Essendant said an investigation determined that the outage resulted from a ransomware attack that disrupted certain systems and operations.

"An unauthorized actor has publicly claimed responsibility for this incident. We are continuing to investigate the validity of these claims," Essendant wrote in the statement.

While it was not attributed to Clop, telecom provider Lumen Technologies was another major enterprise that disclosed a ransomware attack this month. In a Securities and Exchange Commission filing on March 27, Lumen confirmed two cybersecurity incidents. One involved ransomware and caused disruptions to a small number of the company's enterprise customers as well as data exfiltration.

Ransomware actors targeting the public sector remained a trend last month as well. Nine of the victims in March were school districts and cities, which suffered prolonged disruptions. For example, in a statement on March 31, the city of Oak Ridge, Tenn., said it was attacked the prior week by a "a sophisticated group of criminals." The city was forced to take its systems offline as a result, which caused disruptions to web services and email. Fully restoring the hundreds of computers the city uses "will be a slow process," according to the statement.

Shoreline Community College in Washington confirmed that it suffered a ransomware attack on March 20 that shut down campus server and network services, including the ability to connect remotely. As of March 31, the college said it "[continued] to experience a system outage" due to the ransomware attack.

Arielle Waldman is a Boston-based reporter covering enterprise security news.