Software AG, Germany’s second-largest software vendor and one of the 10 largest in Europe, fell victim to a Clop ransomware attack that compromised company files and employee information. The Clop group has been particularly active during the pandemic, and is one of the prominent groups that has been stealing company information prior to locking down target networks and threatening to release it to the public if the ransom is not paid.
Clop ransomware attacks raise the stakes
Based in Darmstadt, Software AG has over 5,000 employees and provides a variety of business infrastructure products to companies in at least 70 countries. About 70% of the Fortune 1,000 companies are estimated to use at least one of its software tools.
The company issued a press release indicating that its internal network had been compromised, which included the following: “The IT infrastructure of Software AG is affected by a malware attack since the evening of 3 October 2020.” The customer-facing cloud services were apparently not impacted by the Clop ransomware attack, but both employee personal information and confidential files from Software AG’s internal network have been compromised.
Though Software AG has not specifically referenced ransomware in their press releases, security firm MalwareHunterTeam has told several press sources that they located the Clop ransomware executable used in the attack.
The compromised files, which appear to have come from a mix of Software AG’s internal network and employee laptops, includes highly sensitive personal information belonging to the company’s employees: passport numbers, photo ID scans, health care information, emails, contact lists and employment contracts among other items.
In all, about one terabyte of data was stolen. Clop has threatened to release all of this to the public if the full ransom is not paid in Bitcoin. The ransomware group verified the attack by posting screenshots of Software AG files on a dark web “leak site.” There is no indication as of yet that Software AG has paid the ransom.
Customers and clients of Software AG do not appear to have been impacted by the Clop ransomware attack or have had any of their information compromised, but the company’s help desk was down for some time along with certain forms of online communication.
Security researchers still do not have a very good bead on the Clop group. They believe that they are based in Eastern Europe, speak Russian and work on a Monday to Friday schedule with a high and constant level of activity. But little else is known about the group other than that it is likely a private for-profit enterprise rather than a government-backed threat actor, based on the fact that it has been observed establishing access to networks and then selling it off to other parties.
Clop runs wild in pandemic conditions
The Clop ransomware attacks are tied to a particular group that has been using this particular approach since at least early 2019. The ransomware itself is a variant of CryptoMix, which has been spotted in the wild since early 2016 but was relatively low-impact other than making news for being delivered via fake charity organizations. The Clop mutation is anything but mild, however. It has been implicated in major breaches of biopharmaceutical firm ExecuPharm, Indian business group IndiaBulls and the UK’s EV Cargo Logistics. Some security researchers believe this same group may also be behind the Dridex banking trojan that has been victimizing financial institutions since 2015.
While the Clop ransomware attacks have been fairly effective from a technical perspective, it was the group’s commitment to stealing and leaking target files that set it apart and changed ransomware trends. Since March the group has maintained a site called “CL0P^_- LEAKS” that is dedicated to posting the exfiltrated data from victims that do not pay the ransom.
In addition to being trendsetters in this way, the Clop ransomware attacks have also helped to quickly push ransom demands to new heights. Just two years ago, ransomware groups were focusing heavily on unprepared small businesses and making minimal demands of only a few thousands dollars to entice the victims to quickly pay. Since then, the market has shifted to a much more “premium” clientele. Ransomware gangs are currently focusing on large enterprise-scale organizations, especially those that cannot afford extended network downtime. The average demand has also shot up to about $200,000, and cases of multimillion-dollar ransom notes are no longer all that unusual.
Saryu Nayyar, CEO of Gurucul, expanded on the realities of this new threat landscape for larger organizations and government agencies: “Ransomware gangs are becoming bolder and more sophisticated, going after larger and more lucrative targets with their criminal attacks. This recent attack against Germany’s Software AG is one of the largest ransomware attacks, but it will certainly not be the last. Even with a complete security stack and a mature security operations team, organizations can still be vulnerable. The best we can do is keep our defenses up to date, including behavioral analytics tools that can identify new attack vectors, and educate our users to reduce the attack surface. With little risk of punishment and potentially multi-million dollar payoffs, these attacks will continue until the equation changes.”
The Clop ransomware attack group is hardly alone in taking this new tack of publishing stolen data to incentivize ransom payments. Since April, about two dozen threat actors have put up similar data leak sites that have published stolen data after a ransom demand was not paid. These groups also tend to be those that target larger organizations and make larger ransom demands. This new trend has greatly complicated the ransomware defense picture; in the “good old days” (just a little more than a year ago) a company with a robust and regular backup system might have little to fear from a ransomware attack. Companies now face not just downtime and data loss but the threat of exposure of confidential information and data breach fines for failure to protect personal information.