How the Cl0p Ransomware Gang Exposed the Cybersecurity Industry's Holes


Law firms. Healthcare device manufacturers. Healthcare systems. Advisory firms. Hotels. School systems. Banks. The Cl0p (also known as Clop),  ransomware gang keeps making headlines and it can feel like there is no end in sight. 

This group has been so successful due to exploiting a zero-day attack on a popular software called MOVEit, which many applications utilize for file transfers. Because MOVEit is so efficient (hence why it is built into so many applications), when these threat actors found out how to take control, they suddenly found themselves able to extract enormous amounts of data from their victims very, very, very efficiently. The threat actors can then demand millions of dollars in ransom from their victims and a lack of payout means they will release the company’s proprietary and sensitive data to the dark web. 

While this exploit started as a zero-day exploit – i.e., no security company knew about this vulnerability before threat actors exploited it, which is a much rarer threat vector than others such as using stolen credentials – it has also exposed a number of holes with how most organizations approach their security postures. 

Let’s take a look at some of the ways this particular exploit has shown these weaknesses to us.

Interconnectedness of modern technology development 

Nothing exists in a vacuum anymore, but especially not modern application development and implementation. MOVEit was used in the code bases of many, many pieces of software, which we see now was fine…until it was very much, well, not fine. When that one software was compromised, it spelled certain doom for organizations who might not even have been aware they were using it. 

Difficulty in relying on large-scale patching 

Threat actors access networks through already-known vulnerabilities much more than they utilize headline-grabbing zero-day attacks. They know security teams are strapped and organizations are reticent of any downtime patching might cause. Sometimes these choices can reach beyond a loss of revenue, too. For instance, when healthcare equipment and vendors that hospitals rely on could be compromised but are necessary for life-saving procedures, the choice of when and how to patch becomes much more complicated. 

And as we discussed before, when all these systems and applications are interconnected these vulnerabilities have a domino effect. 

Reliance on reactive detection 

This latest spate of attacks is a symptom of the entire cybersecurity industry’s approach. Threat actors are always going to find new ways in, whether that’s through these zero-day attacks, advanced phishing campaigns, misconfigurations, social engineering, stolen credentials/reused passwords, unpatched software or hardware, or any other number of vectors.

Threat actors are winning because they are exploiting the real world, not the world where we’ve convinced ourselves that if we just scan more, try harder, and find better detection systems we’ll win. These applications, networks, and systems are made and operated by humans. And as we all know, the number one thing all humans do is make mistakes. Yet overwhelmingly, most cybersecurity strategies rely on everyone being perfect all the time. We’re not setting ourselves up for success.

How to protect against cl0p and other known threats

Having tools to monitor threats and harness AI to detect them is great, but we have to give them a fighting chance by removing the traffic to and from known threat actors in our networks. When we eliminate this traffic, our people, processes, and technologies have a fighting chance. 

The real trick is that these ransomware gangs such as cl0p are known to the threat intelligence community (composed of government, open source, and private organizations). And while they might be able to change their attacks and methods of hiding their misdeeds, they can’t change who they are. 

Filtering out communications to and from known threat actors sounds so fundamental that most assume they’re already doing this. Unfortunately, this is simply not the case. Most security technologies on the market today are focused on the “what” of an attack instead of the “who” behind it. 

When you take a glance at CISA’s advisory about these attacks from the cl0p ransomware gang there are pages and pages of IP addresses listed. These are the “who” of the attack, and the lists of these known threat actors is growing and changing constantly. But blocking this traffic going inbound and outbound from these threat actors is one of the simplest and most effective ways to stop them. But the only way to do this effectively is with a tool that can harvest these threat lists with up-to-the-minute intelligence and enforce on this intelligence without any input from security teams.

This is exactly what Threater does. It simply removes the communication between networks and known threat actors. This frees up the rest of the security stack teams and technologies to do their jobs better and more efficiently. And this is also why it is one of the most foundational layers of network security for any organization. 

When you remove this traffic from your network, these known threat actors’ attacks can no longer communicate their entry, they can no longer exfiltrate data, and they no longer prey on the realities of the modern world. When you remove the bad guys, you remove their threats. 

If you’d like to learn more about how Threater protects against these types of ransomware and other threats, we can help.