Clop Adds Universities to List of Victims

Clop Ransomware Adding Universities To List

Starting in December, threat actors affiliated with the Clop ransomware operation began targeting Accellion FTA servers and stealing the data stored on them. Companies use these servers to share sensitive files and information with people outside of their organization.

The ransomware group then contacted the organizations and demanded $10 million in Bitcoin or they would publish the stolen data.

Since February, the Clop ransomware operation has been publishing files stolen using vulnerabilities in Accellion FTA file-sharing servers.

This week, the Clop ransomware gang started publishing screenshots of files stolen from Accellion FTA servers used by the University of Miami and Colorado.

In February, the University of Colorado (CU) disclosed that they suffered a cyberattack where threat actors stole data via the Accellion FTA vulnerability.

“While the full scope has not yet been determined, early information from the forensic investigation confirms that the vulnerability was exploited and multiple data types may have been accessed, including CU Boulder and CU Denver student personally identifiable information, prospective student personally identifiable information, employee personally identifiable information, limited health and clinical data, and study and research data,” CU’s data breach notification stated.

The Clop ransomware has begun to post screenshots of the stolen data, including university financial documents, student grades, academic records, enrollment information, and student biographical information.

While the University of Miami did not disclose a data breach, it did use a secure file-sharing service called ‘SecureSend’ that has since been shut down.

“Please be advised that the secure email application SecureSend (secure.send.miami.edu) is currently unavailable, and data shared using SecureSend is not accessible,” reads the University’s SecureSend page.

From URLs found by BleepingComputer, this SecureSend service was also powered by an Accellion FTA server.

While the University of Miami never disclosed a security incident, the Clop ransomware operation also published screenshots of patient data.

This data includes medical records, demographic reports, and a spreadsheet with email addresses and phone numbers.

The data allegedly stolen from the University of Miami appears to belong to patients of the University’s health system.

The Clop ransomware gang has been utilizing Accellion vulnerabilities to exploit victims and demand large ransoms. The Educational sector hasn’t been a recurring target in the Accellion exploits, but this just goes to show they aren’t targeting one industry specifically and anyone using Accellion’s FTA should update and patch as soon as possible.

Threat actors are continuing to look for supply chain attacks to reach multiple organizations at once. Understanding what connection you have with third-party providers is crucial for your organization’s security and helps to prevent unwarranted access from threats. This is why incorporating a Security Operations Center into your infrastructure will strengthen your security posture and take weight off the shoulders of your IT team. Allow our cyber experts to monitor your network continuously for threats such as Clop, today.

SpearTip’s cyber professionals continuously monitor environments 24/7 in our US-based Security Operations Center. Our certified engineers work in unison with our proprietary endpoint detection and response tool, ShadowSpear®. This allows your organization to have direct communication with our engineers at any moment and a completely transparent view of your risk profile.

If you think your organization has been breached, call our Security Operations Center at 833.997.7327.