Why carry out an expensive and technically complex ransomware attack when pretending to have done so is enough? Barracuda Networks has recently identified a new type of extortion email in which attackers impersonate the well-known Clop ransomware group. By claiming they have accessed a company’s network and stolen sensitive data, the scammers pressure victims for money without having actually carried out any attack.
Referring to real incidents to appear credible
In the emails, the attackers claim to have exploited a vulnerability at Cleo, a company that develops file-transfer platforms such as Cleo Harmony, VLTrader and LexiCom. Because this approach resembles genuine Clop operations, the scam can be hard to detect.
To lend credibility, the fraudsters link to a news-style blog post that reports how Clop allegedly exfiltrated data from 66 of Cleo’s customers. They then instruct the recipient to contact them via a list of provided email addresses.
How can you spot the scam?
Barracuda Networks’ security analysts have outlined several indicators that help organizations distinguish a real ransomware intrusion from a fake extortion attempt:
- Scam emails from fake Clop operators often reference legitimate news stories about Clop ransomware incidents.
- If the email includes a 48-hour payment deadline, links to a secure chat channel for negotiations, and partially discloses names of affected companies, it may indicate a real attack and should be treated as an active security incident.
- If those elements are missing, the message is likely a bluff designed to coerce payment even though no breach has occurred.
“We see a clear trend of cybercriminals becoming increasingly sophisticated in how they exploit the fear ofransomware. By leveraging the panic real Clop incidents cause, scammers hope to coerce companies into paying even when no attack has taken place. That underscores the importance of verifying threats before taking action,” says Klas Palmér, a security expert at Barracuda Networks.
Read more here»