The average payment to ransomware groups has surged by 43% over the past quarter, driven by the threat actors behind the Accellion attacks, according to Coveware.
The security vendor’s quarterly report for Q1 2021 revealed that the average ransom was $220,298 during the period, with data exfiltration now a major extortion tactic present in the vast majority (77%) of attacks, up 10% from the previous quarter.
Yet while most ransomware groups simply steal data for extra leverage, as proof an attack occurred and in some cases to create legal obligations for victim organizations, the Clop gang took a different approach in its targeting of Accellion, Coveware claimed.
The group has been linked to attacks on customers of the vendor’s legacy FTA product in December 2020 and January 2021 which resulted in the theft of valuable data. These attacks exploited multiple zero-day bugs in the product which Accellion since patched — but in some cases, fixes were applied or released too late to protect the victims.
Unlike most other ransomware attempts, this campaign focused solely on data theft, eschewing ransomware altogether, Coveware noted.
“This was a highly sophisticated and targeted exploitation of a single software appliance, only used by a handful of enterprises. The CloP group may have purchased the exploit used in the initial stages of the attack, so as to have exclusive use,” it explained.
“This behavior stands in stark contrast to how most unauthorized network access is brokered through the cyber extortion supply chain to any willing purchaser post exploitation.”
Although the group behind the attacks has never formally been named, FireEye produced an analysis in February which named financial cybercrime gang FIN11, which itself has numerous links with Clop including using the same attack infrastructure and data leak site.
“Unlike most exploits used by ransomware threat actors, unpatched Accellion FTA instances are rare (likely less than 100 total), especially when compared to vulnerable RDP instances which number hundreds of thousands globally,” Coveware said.
“Clop’s confidence that such a small number of targets would yield a positive financial return must have been high and, unfortunately, they were correct.”
However, in the end, the majority of the corporate victims targeted by Clop refused to pay and had their data exposed online by the group. The ransomware actors have apparently since returned to more traditional network access vectors (ie RDP) and encryption to make their money.