Clop is a Big Fish, But Not Worth Hunting

Written by

Tom Uren

Policy & Intelligence

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray . It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Corelight .

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed .

The Clop ransomware gang is once again in the news after a mass exploitation campaign targeting users of Oracle's E-business Suite. This month Clop emailed executives at victim companies threatening to leak stolen files if it does not receive payment. 

Stealing data to extort companies is not good, but it is a hell of a lot better than systems getting locked up with encrypting ransomware, leading to weeks of factory shutdowns. Right now, from a government perspective, it would be a win if every campaign looked like Clop's.  

The group has been active since 2019, making it one of the longer-lasting ransomware gangs. It initially deployed standard encrypting ransomware, but in 2020 it was one of the first groups to experiment with ' double extortion '. 

In addition to 'traditional' encrypting ransomware that locks up systems, this involved data extortion where the group threatened to publish sensitive information it had stolen unless a ransom was paid. 

Clop soon shifted its focus to data extortion campaigns and in 2023 said it was its preferred tactic . The campaigns targeted corporate file transfer systems using 0days to facilitate rapid mass exploitation. They included:

• Accellion File Transfer Appliances starting in late 2020. 
• Fortra's GoAnywhere Managed File Transfer servers in 2023.
• MOVEit Transfer managed file transfer software also in 2023.
• various Cleo file transfer platforms in early 2025.

The MOVEit campaign was massive and affected 2,773 organisations . At the time, ransomware incident response firm Coveware estimated the campaign could earn Clop USD$75 to $100 million.

The modus operandi was similar across all the above campaigns:

• Acquire 0day for target systems, typically internet-accessible edge devices that are used to transfer potentially sensitive data. 
• Steal data in a short-duration mass exploitation event. These often started on a public holiday or weekend when defenders were less likely to respond quickly.
• Send out extortion emails, often some time after the data theft had taken place.  

In addition to a smart collection strategy that maximises its data extortion opportunities, Clop takes steps to minimise the risk of government attention. In the Cleo campaign earlier this year, for example, Clop told Bleeping Computer that "if the data is government services, institutions, medicine, then we will immediately delete this data without hesitation". 

While Clop's recent extortion campaigns have affected a large number of victims, the operational disruption for businesses has been insignificant compared to other high-profile incidents. Take the recent ransomware attack on Jaguar Land Rover, for example. It had such widespread economic impact the UK government underwrote a £1.5 billion loan to get the company back up and running. In Japan, a ransomware attack late last  month interrupted domestic production of Asahi beer.

The impacts of encryption and extortion attacks are very different, yet both are often generically described as "ransomware" in press coverage and official government guides. 

That's a mistake. Governments need to draw a clear distinction between encrypting ransomware and data extortion, and treat them differently. 

Law enforcement and government disruption operations should be focused on the groups that deploy encrypting ransomware because they cause systemic flow-on impacts. Data extortion groups like Clop? Well, they can get to them when encrypting ransomware is under control. 

Clop is making a splash. But that doesn't mean that government authorities should devote time and effort to combat it. There are just bigger fish to fry.  

Ending America's Foreign Influence Ostrich Doctrine

State-backed influence operations are routinely used by states and the US needs to revisit its "ostrich doctrine" of pretending they don't exist. 

In recent months, we've noted a steady drumbeat of these campaigns being outed in the media. 

Just this week Reuters reported an anti-US campaign that was funded by the Chinese embassy in the Philippines. The embassy paid a Chinese company, InfinitiUs Marketing Solutions, to execute the campaign. The messaging included disparaging the US-Philippine alliance and criticising Western-made Covid vaccines. It also promoted pro-China and anti-US content created by genuine Filipinos, some of whom had received money from Beijing.  

Last week, Citizen Lab reported on an AI-enabled campaign where real-world air strikes were coordinated with social media posts. 

Citizen Lab says that the campaign, which it calls Prisonbreak, was intended to incite Iranian audiences to revolt against their government. Of particular note, accounts associated with Prisonbreak posted to X an AI-generated video showing an airstrike on Iran's Evin prison , while real air strikes were actually taking place . Other accounts in the Prisonbreak network reposted news about the strikes on Evin and called for people to head to the prison, which is notorious for holding political prisoners. 

Unsurprisingly, Citizen Lab believes that the Israeli government is ultimately behind the campaign. 

OpenAI's October threat report noted that its AI tools have been used in covert state-backed influence campaigns. There were also multiple reports about Russian interference during last month's Moldovan parliamentary elections. 

To sum this all up, influence operations are everywhere. And they are being run by America's foes and allies alike. 

Let's not forget that the US itself has run covert influence campaigns. In 2020 and 2021 the US Department of Defence ran a campaign in the Philippines to discredit Chinese Covid vaccines. 

Unfortunately, the US government has disbanded offices that were tasked with countering foreign interference. Attorney General Pam Bondi dismantled the FBI's Foreign Influence Task Force back in February and in April, Secretary of State Marco Rubio closed the State Department office that had been responsible for countering foreign influence campaigns. In their respective announcements, Bondi cited "risks of weaponisation" while Rubio cited free speech as justification. 

The US faces real adversaries that regularly conduct influence operations to America's detriment. Ignoring the risk by closing your eyes, covering your ears and shouting "free speech" is a poor strategy. 

Intelligence Online reports the State Department is thinking about reactivating its teams that countered foreign disinformation. That's good news. The first step is acknowledging you've got a problem. It's time for the government to take its head out of the sand.

Watch Amberleigh Jack and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. Google rolls out end-to-end encrypted emails and ransomware protection: Google Workspace users can now send end-to-end encrypted emails to anyone, even people that use a different email provider. Google will also stop files syncing to Google Drive cloud storage if it detects ransomware encrypting or corrupting files in bulk. 
2. AI is good at detecting scams: This month's OpenAI threat report says that ChatGPT is actually good at detecting scams. It even reckons that it is being "used to identify scams up to three times more often than it is being used for scams". Does that just mean that ChatGPT is good at identifying its own scamming? Lol.   
3. Lawsuits to punish poor security pays off: A company affiliated with Georgia Tech has agreed to pay USD$875,000 to settle a case involving allegations it failed to meet cyber security requirements as specified in government contracts. The lawsuit stems from a Biden-era initiative to use lawsuits under the False Claims Act to discourage negligent security practices. CyberScoop says four other companies have collectively paid nearly USD$26 million to settle similar cyber security-related suits, so the initiative is paying off. Although it is not clear if it is improving security. 

Sponsor Section

In this Risky Business sponsor interview , Catalin Cimpanu talks with Ashish Malpani, Head of Product Marketing at Corelight. The discussion looks at how NDRs might evolve, such as expanding to protect inter-cloud networks and complementing EDRs.

Shorts

No Apple ADP For Brits

The UK government has ordered Apple to allow access to encrypted iCloud backups of British users, according to the Financial Times .   

This is a downsizing of the order issued in January that had requested access to encrypted backups of any iCloud user. This is pretty much what we expected after senior US officials  claimed that the UK had backed down.

This order could be contested at the UK's Investigatory Powers Tribunal, so the ultimate outcome is still unknown. In the meantime, Apple recently confirmed that Advanced Data Protection is not available for UK users. This means that British authorities can get access to the iCloud data of UK citizens, but US citizens are still protected. 

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed ( RSS , iTunes or Spotify ).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk about the 0day mass exploitation of SharePoint and Exchange. This type of widespread hacking appears to be increasingly common… but is it?

Or watch it on YouTube!

From Risky Bulletin :

Redis vulnerability impacts all versions released in the last 13 years: The Redis database project released a security update last week to patch a critical vulnerability that can allow remote attackers to run malicious code and take over systems.

The vulnerability is as bad as it gets and impacts all Redis versions released over the past 13 years.

The vulnerability is tracked as CVE-2025-49844, but the Google Wiz team that discovered it calls it RediShell .

[ more on Risky Bulletin ]

Microsoft tells users to uninstall games affected by major Unity bug: Microsoft and the Steam gaming platform have reacted over the weekend to a new security flaw discovered in Unity, one of today's most widely used game engines.

The vulnerability was discovered by RyotaK, a researcher for GMA Flatt Security, who has quite a few of these high-impact bugs to his name.

The bug is tracked as CVE-2025-59489, and it allows malicious apps on the same device to add command-line arguments to Unity-based games that load malicious code together with a game.

RyotaK says his research studied the vulnerability on Android, but that the bug can also impact games on other platforms as well. In some very narrow scenarios, the bug can also be exploited via browsers or remote scenarios, for even more wide-reaching impact.

[ more on Risky Bulletin]

Scam compound operators sentenced to death in China: China has sentenced 11 individuals to death for their role in running cyber scam compounds in Myanmar.

Five other individuals received suspended death sentences for two years, 11 others received life sentences, and 12 more got prison terms ranging from five to 24 years.

The suspects were members of the infamous Ming crime family. They were arrested in November of 2023, when the Chinese government first started seriously cracking down on scam compounds targeting its citizens.

The Ming family ran some of the largest scam operations at the time, operating primarily out of the Kokang region of Myanmar, near the Chinese border. According to court documents, the compounds made the Ming family at least $1.4 billion between 2015 and 2023, when the compounds were raided in a joint Burmese and Chinese operation.

[ more on Risky Bulletin ]