Hackers linked to a prominent ransomware group have been targeting US business executives at “numerous organizations” in a massive campaign since last month, according to a warning issued by Google on Thursday.
Google’s researchers said the hackers claim to be part of the notorious “clOp” ransomware gang and have been sending the threatening emails as part of what it described as a “high-volume” attack.
It wasn’t immediately clear which other companies have been targeted in the ransomware campaign, or if any have paid the ransom to regain control of their data.
In the emails, the hackers are claiming to have stolen their data through popular business management apps offered by Oracle to corporate clients. The attacks began around Sept. 29, according to Genevieve Stark, head of cybercrime at Google Threat Intelligence Group.
“Initial analysis suggests that the targeting is opportunistic, as opposed to focusing on specific industries,” Stark added. “This is consistent with prior activity associated with the Cl0p data leak site.”
Oracle did not immediately return The Post’s request for comment.
The hackers have demanded ransoms of up to $50 million and have sent victims screenshots as proof of the breach, according to cybersecurity firm Halcyon, which is also tracking the hacking campaign, according to Bloomberg.
“We have seen Cl0p demand huge seven- and eight-figure ransoms in the last few days,” Cynthia Kaiser, vice president at Halcyon’s ransomware research center, told the outlet. “This group is notorious for stealthy, mass data theft that heightens their leverage in ransom negotiations.”
Google said it “does not currently have sufficient evidence to definitively assess the veracity of these claims.” At least one of the email addresses linked to the attack was previously used by the hacker group.
“The malicious emails contain contact information, and we’ve verified that the two specific contact addresses provided are also publicly listed on the CLOP data leak site (DLS),” said Charles Carmakal, chief technology officer at Google Cloud cybersecurity unit Mandiant. “This move strongly suggests there’s some association with Clop and they are leveraging the brand recognition for their current operation.”
The emails reportedly bear the hallmarks of clOp’s work, including sloppy English and grammar.
The hacker group previously conducted a ransomware campaign in 2023 that breached accounts at several major companies, including British Airways and the BBC.
In June 2023, the US Cybersecurity & Infrastructure Security Agency (CISA) warned that clOp was “considered to be one of the largest phishing and malspam distributors worldwide.”
The group was “estimated to have compromised more than 3,000 US-based organizations and 8,000 global organizations” during its run.
With Post wires
