Goanywhere attack: More and more extortion victims are known
In February, the Russian cl0p gang allegedly installed blackmail malware at 130 companies via a security gap in the administration access to Goanywhere MFT (managed file transfer). Since mid-March, the cl0p gang has been asking victims of their ransomware to pay. As it turns out, well-known companies are affected throughout. The list of known victims is getting longer and longer. Many are silent.
Instead, cl0p puts more and more company names on a list published on the dark web. Techcrunch contacted the companies mentioned there; not a single one denies using the file transfer service Goanywhere MFT from the service provider Fortra. There seems to be a particular accumulation in the health sector. However, only a few named companies reveal whether and how they are affected by the burglary.
The Swiss pharmaceutical company Galderma, the Avidia Bank from Massachusetts, the Canadian healthcare provider Homewood Health, the English foundation for affordable housing Guinness Partnership, the Colombian energy company Grupo Vanti, the US financial institution Cornerstone Home Lending, the call center specializing in medical services, are silent -Operator ITx Companies, the start-up specializing in children’s mental health Brightline, the trade fair organizer Emerald Expositions, the drug manager MedMinder,
According to their own statements, the Canadian city of Toronto (“no internal data or resident data was released”) and the department store operator Saks FifthAvenue (“customer data only copied for test purposes”) got off lightly. It is unclear whether Goanywhere operator Fortra even knows which customers are affected. The perpetrators exploited a security gap in the administration access; that was only possible if they could access this interface. Apparently around 140 Fortra customers had made their respective admin access freely accessible on the Internet.
Over 1 million US patients affected
The slump is particularly bad for Americans who are patients at community health services. This is one of the largest healthcare providers in the country; he admits that the health records of at least a million Americans have fallen into the hands of perpetrators. Hatch Bank and IT security specialist Rubrik are also aggressively communicating the hack. Hitachi Energy has also reported a burglary but said it happened at Fortra.
Avidxchange, a start-up that offers software for payment transactions, says it is only rudimentarily affected. It only uses Goanywhere to transmit data to a printer for printing checks, not for storing data. Meanwhile, Techcrunch reports, the criminals have begun releasing excerpts of data stolen from investment manager Onex, including completed tax forms, payment orders and employee details.