Clop ransomware group attacked Accellion, one of the companies that offer File Transfer Appliance. Typically, transferring files happens via email. However, emails have limitations, particularly when it comes to large attachments and sensitive data. Some companies are now using File Transfer Appliance (FTA) installed on a private cloud, on-premises, or hosted to securely manage and store large attachments that provide better protection and control.
Accellion’s FTA software platform is used by some high profile companies such as Bombardier, Singtel, Reserve Bank of New Zealand, NSW Transport agency, Qualys, Kroger, QIMR Berghofer Medical Research Institute, Australian Securities and Investments Commission (ASIC), Shell, Office of the Washington State Auditor (“SAO”) and multiple universities in the United States.
Given the high profile of targets, the ransomware group foresees a high return of ransom payment. The Accellion data breach started in December 2020 and persisted until January 2021.
The threat actor exploited a zero-day vulnerability on the Accellion File Transfer Appliance (FTA) and stole the data instead of encrypting the files.
Clop ransomware group extorted the victims with higher ransom demands and started publishing the data in February 2021 of those who refused to settle the ransom payment.
Reports say that the average ransom payment of the first quarter of 2021 is set to $220,298, with a massive increase of 43% compared to the last quarter of 2020. In addition, the median ransomware payment grows by roughly 60%, from $49,450 to $78,398.
The increase in the ransom payment data is the outcome of the Clop ransomware attack. The clop ransomware group is a new variant from the Cyptomix family that first surfaced in February 2019. It is also the first ransomware group that demanded a ransom payment of over 20 million dollars from one of the largest software companies in the world.
In the first quarter of 2021, the Clop ransomware group was not the foremost active ransomware actor despite being liable for increasing the average and median ransom payment. The top 10 ransomware strains in the first quarter of 2021 with the highest market share are the following:
Ransomware Type |
Market Share (Percentage) |
Sodinokibi, also identified as REvil or Sodin |
14.2% |
Conti V2 |
10.2% |
Lockbit |
7.5% |
Clop |
7.1% |
Egregor |
5.3% |
Avadddon |
4.4% |
Ryuk |
4.0% |
Darkside |
3.5% |
Suncrypt |
3.1% |
Netwalker |
3.1% |
A ransomware attack can financially damage a company. Half of the ransomware victims chose to pay the ransom payment to restore the stolen data. Threat actors also shift the approach from ransom to data extortion as they will threaten the company to auction or publicly publish the stolen data.
The ransomware groups are taking their operations to the next level. Victims of the ransomware attacks are recommended not to settle any payment as it does not have an assurance to return the stolen data. Paying the ransomware payment merely encourages the threat actors to continue the malicious activity.