Security News > 2023 > February > Clop ransomware claims it breached 130 orgs using GoAnywhere zero-day
The Clop ransomware gang claims to be behind recent attacks that exploited a zero-day vulnerability in the GoAnywhere MFT secure file transfer tool, saying they stole data from over 130 organizations.
Huntress Threat Intelligence Manager Joe Slowik linked the GoAnywhere MFT attacks to TA505, a threat group known for deploying Clop ransomware in the past, while investigating an attack where the TrueBot malware downloader was deployed.
Clop's alleged use of the GoAnywhere MFT zero-day to steal data is a very similar tactic to the one they used in December 2020, when they discovered and exploited an Accellion FTA zero-day vulnerability to steal the data of approximately 100 companies.
In the 2020 Accellion attacks, Clop's operators stole large amounts of data from high-profile companies using Accellion's legacy File Transfer Appliance.
In June 2021, some of Clop's infrastructure was shut down following an international law enforcement operation codenamed Operation Cyclone when six money launderers who provided services to the Clop ransomware gang were arrested in Ukraine.
Update February 10, 15:25 EST: Added a section showing that Huntress made a between GoAnywhere MFT attacks and threat actors known for deploying Clop ransomware.