Toronto City Hall in downtown showing Clop ransomware gang data breach via GoAnywhere vulnerability

Clop Ransomware Breached the City of Toronto, Virgin Red and Others via GoAnywhere Vulnerability

The Clop ransomware gang has compromised several victims, including the City of Toronto and the UK’s Virgin Red by exploiting the GoAnywhere vulnerability.

The city of Toronto said it was investigating leaked files after an unauthorized entity accessed its data via a third-party vendor. Toronto was among dozens of victims, including a UK statutory body, listed by Clop ransomware on its data leak site.

Clop ransomware exploits the GoAnywhere vulnerability to breach multiple organizations

“Today, the City of Toronto has confirmed that unauthorized access to City data did occur through a third party vendor,” The city spokesperson Alex Burke told TechCrunch. “The access is limited to files that were unable to be processed through the third party secure file transfer system.”

However, Toronto clarified that Clop ransomware did not hack the city’s internal systems using the GoAnywhere vulnerability.

Another victim, UK’s Virgin Red, said it was contacted by clop ransomware regarding data accessed via the GoAnywhere vulnerability.

Confirming the breach, the British conglomerate said a threat actor had illegally obtained some Virgin Red files via its file transfer systems supplier GoAnywhere.

However, the rewards membership club said the leaked files did not jeopardize its customers’ and employees’ safety and privacy: “The files in question pose no risk to customers or employees as they contain no personal data.”

According to Richard Branson’s Virgin Group, the breach only affected the Virgin Red membership club, not the parent company.

Clop ransomware also listed UK’s statutory corporation, Pension Protection Fund (PPF), on its data leak site. The Department for Work and Pensions organization disclosed that the threat actor accessed current and former employees’ data but did not compromise PFF members’ and levy payers’ information.

PPF said it ditched GoAnywhere and launched an investigation with partners and law enforcement agencies after suspecting that the GoAnywhere vulnerability likely exposed its data contrary to Fortra’s assurances.

The pension funds administrator said notifying the victims was a priority and had advised them and provided additional monitoring services.

Although the ransomware gang did not compromise PPF’s systems, the corporation reported the incident to the relevant authorities.

“We would stress that our own systems have not been compromised and we remain vigilant, working to the very highest information security standards and certifications,” explained PFF.

More Clop ransomware data breach victims emerge

Power company Hitachi Energy, Saks Fifth Avenue departmental stores chain, cybersecurity firm Rubrik, and Blue Shield of California also confirmed data breaches via the GoAnywhere vulnerability.

Rubrik said it detected unauthorized access to its “non-production, IT testing environment” resulting from the GoAnywhere vulnerability.

Similarly, Hitachi Energy notified “data privacy, security, and law enforcement authorities” after discovering that the GoAnywhere vulnerability could have resulted in unauthorized access to employee data in some countries.

Blue Shield of California, a virtual children’s mental health non-profit, also filed a data breach notification with the Office of the Maine Attorney general confirming data theft via the GoAnywhere vulnerability.

By late March 2023, the Clop ransomware gang had listed at least 39 entities on its data leak site.

In February 2023, Clop ransomware claimed it breached 130 organizations by exploiting the GoAnywhere MFT (managed file transfer) remote code execution vulnerability CVE-2023-0669.

The alleged mass exploitation compelled the Health Sector Cybersecurity Coordination Center (HC3) to publish a cybersecurity advisory about Clop ransomware targeting the healthcare industry.

In 2021, the same ransomware gang compromised hundreds of organizations, including the City of Toronto, via the Accellion File Transfer Appliance (FTA) vulnerability.

“It is crucial for organizations to be aware of the potential risks associated with third-party service providers and to implement appropriate security measures to mitigate those risks,” said Erfan Shadabi, a cybersecurity expert with comforte AG. “Vetting partners thoroughly and ensuring that their data handling processes, procedures, and protection methods are superior isn’t something to take lightly.”