SpearTip | February 17th, 2021

According to SecurityWeek, a group of cybercriminals known for ransomware attacks has started leaking files allegedly stolen from Jones Day, a major U.S.-based law firm. The cybercriminals behind the ransomware operation known as Clop (Cl0p) have been known to encrypt files on compromised systems, as well as stealing files from the victim and threatening to leak them unless a ransom is paid. The group has a website on the Tor anonymity network where it leaks files from organizations that refuse to pay up. The hackers recently posted on their website download links to tens of gigabytes of files allegedly stolen from Jones Day. The leaked files are emails and legal documents, including ones that appear to be confidential. While some of the leaked data seems to be older, some of it is dated January 2021.

In a statement to The Wall Street Journal, Jones Day representatives confirmed suffering a breach, but said the hackers did not actually penetrate its network and instead targeted a file sharing service provided by file sharing and collaboration solutions provider Accellion. The hackers told Vice that they stole data from Jones Day, but did “not encrypt their network.” The cybercriminals told DataBreaches.net that they hacked one of the company’s servers associated with the Accellion service and “took the data from there,” but also suggested that they targeted other systems as well. An increasing number of organizations have come forward to confirm that they suffered data breaches due to a vulnerability discovered in mid-December in FTA, a large file transfer service offered by Accellion.

Accellion is retiring the FTA service, but roughly 50 customers had still been using it when the vulnerability was discovered, and at least some of those customers have been targeted by malicious actors. The list includes the Office of the Washington State Auditor (SAO), the Australian Securities and Investments Commission (ASIC), the Reserve Bank of New Zealand, and Singapore telecoms firm Singtel.

SpearTip’s ShadowSpear® Platform stops Clop ransomware from harming your environment by blocking the malicious executables from running on machines. Clop is likely a russian state-sponsored threat as it performs a locale check before executing. If a CIS country locale is detected, the malware terminates.

There are no exceptions for threat actors when it comes to the industries threat actors target. Every industry is at risk if a proper security plan is not in place. This is why it’s important to engage with a security firm like SpearTip to be proactive in stopping cyber threats. The ShadowSpear® Platform can be deployed by our engineers to businesses and organizations of any size or industry. ShadowSpear® will alert our engineers of malicious cyber threats and stop them before they cause business disruption. Clop ransomware claimed to only steal data and didn’t encrypt files, but stolen data being published on leak sites introduces a major hurdle for client trust.

SpearTip’s cyber experts continuously monitor environments 24/7 in our US based Security Operations Center. Our certified engineers work in unison with our proprietary endpoint detection and response tool, ShadowSpear®. This allows your organization to have a direct communication with our engineers at any moment and a completely transparent view of your risk profile.

If you are experiencing a breach, please call our Security Operations Center at 833.997.7327.