The world’s second-largest metals and mining corporation, Rio Tinto, as well as the consumer goods giant, Procter & Gamble, are in hot water as they experience a Data breach. The darknet hacking and ransomware group known as “Clop Ransomware” threatens to leak thousands of employee and customer data should the corporations not comply. These are just two of the 27 companies Clop has managed to attack in the last week!
Who Are Clop Ransomware?
Clop ransomware are a group of hackers said to be affiliated with the dark web group “Truebot”. They successfully performed attacks against various businesses across the world. The name “Clop” comes from the Russian word “Klop”. Meaning bed-bug, nodding to the bugs they use to infect PCs.
Clop Leaks: http://santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad.onion/
The team use various methods to access and infect PCs with dangerous file-encrypting malware. Some known methods include email attachments, Trojans, Phishing, attachments to cracked programs, malicious websites, and the list goes on. Interestingly enough, they are not interested in attacking countries that use FIN11-based keyboards. The Malware automatically avoids FIN11 devices. This gives the nod that the group is likely to be Russian or from the Commonwealth of Independent States (CIS).
Once infecting the computer, the malware automatically exploits various vulnerabilities in the system and encrypts saved files with the “.Clop” extension. Once the user of the computer attempts to open this file a .txt displays with details that the systems files will be deleted should the corporation not pay them a certain amount of crypto. The team also provide proof that they’ve collected sensitive data of customers, employees, and other business documents. Should they not pay a certain amount, the Clop team will release all the data onto their personal darknet website.
Along with the .clop file name, the team also leaves a small string in the ransomware notes that says “Don’t Worry C|op”
The team first showed face in 2019, and has attacked thousands of companies since. In 2021, the US authorities arrested many people who they believed to be a part of the darknet organisation. However, a few days after these arrests, Clop released more data than ever before as a response.
How Darknet Group Clop Targets Their “Clients”
Clop will use the various methods above to infiltrate businesses. However, they don’t seem to be interested as much in smaller clients but rather search for high-profile clients and industry giants.
Some industry giants Clop have infiltrated previously include various giants in retail, transportation, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, and professional and legal services.
Two particularly major breaches went against The International Network of Health Promoting Hospitals and Health Services (HPH). As well as exploits on some zero-day vulnerabilities in the Accellion File Transfer Appliance (FTA) software.
In the last week, the team managed to reach both PG.com and Rio Tinto.
Rio Tinto Data Leaks to the Darknet
The Anglo-Australian mining giant Rio Tinto warned their staff of a data breach that make have release information on employee data. Some details of the breach include payroll information, including overpayment details and payslips.
Included in their message, they explained,
“While investigations into this incident are ongoing and threats have been made by a cybercriminal group to release data onto the dark web. To date, none of the records described above has been released, and we still do not know if the cybercriminal group holds these records or not. At Rio Tinto, the safety of our people is our top priority, and that includes cyber safety.”
Rio Tinto Memo To Staff
Although it seems Rio Tinto hopes that the Clop gang have not received any of their records to release on darknet markets, Clop has a big enough reputation to prove they aren’t to be played with.
When it comes to Rio Tinto, it seems Clop accessed their information through an exploit in Fortra’s file-sharing platform GoAnywhere. Fortra did communicate the hack to its customers, but it told them that their data was safe, but the opposite has been proven. This same exploit handed the data of atleast 130 companies directly to Clop. As Clop added seven organizations to its data leak website on March 10, it started publicly extorting the victims of the GoAnywhere attacks.
Within their Ransom Notes, Clop hackers wrote.
“We want to inform you that we have stolen important information from your GoAnywhere MFT resource and have attached a full list of files as evidence, We deliberately did not disclose your organization and wanted to negotiate with you and your leadership first. If you ignore us, we will sell your information on the darknet markets and publish it on our blog, which receives 30-50 thousand unique visitors per day.”
Clop Ransomware Memo For Infultrated Companies
Despite being a 72.1 Billion dollar corporation, Rio Tinto isn’t even Clop’s largest target this week.
PG.Com Data Released on Darknet Markets
Similar to Rio Tinto’s case, the $79 Billion consumer goods giant Procter & Gamble confirmed a data breach affecting an undisclosed number of employees. Although they only released a statement on March 24th, they claim they were attacked in early February.
“P&G can confirm that it was one of the many companies affected by Fortra’s GoAnywhere incident. As part of this incident, an unauthorized third party obtained some information about P&G employees. The data that was obtained by the unauthorized party did not include information such as Social Security numbers or national identification numbers, credit card details, or bank account information”
PG.com releasing information regarding the data breach.
Unlike Rio Tinto, P&G does not believe that Clop managed to grab sensitive information. Will Clop continue to beat each company they attack? Let us know how long you think they will last.
Hey there, I’m a dark web geek who’s been around for the last 8 years. More precisely, I’m livedarknet’s senior content writer who’s been writing about darknet marketplaces, tutorials, and cybersecurity stuff for educational purposes.