Rubrik is latest victim of the Clop ransomware zero-day campaign

Jovi Umawing

Jovi Umawing

Rubrik, a cybersecurity company specializing in cloud data management, has revealed that some of its systems were infiltrated by the Clop ransomware group. Rubrik is one of many companies attacked by Clop via an infamous zero-day vulnerability in the GoAnywhere file transfer software.

The attack began in February, according to its CEO Michael Mestrovich. “We detected unauthorized access to a limited amount of information in one of our non-production IT testing environments as a result of the GoAnywhere vulnerability,” he says in a blog post published Tuesday. Mestrovich claims that “based on our current investigation, being conducted with the assistance of third-party forensics experts, the unauthorized access did NOT include any data we secure on behalf of our customers via any Rubrik products.”

He also revealed the attackers compromised internal sales data, including customer and partner company names, business contact information, and some purchase orders from Rubrik distributors. According to Mestrovich, the third-party investigators used by Rubrik confirmed that no personal information, such as Social Security Numbers (SSNs), financial accounts, and payment card numbers, were compromised.

The GoAnywhere vulnerability, tracked as CVE-2023-0669, has a severity rating of High and was included in CISA’s Known Exploited Vulnerabilities Catalog, a list of actively exploited vulnerabilities every federal information system must patch urgently. The catalog is an essential go-to list for IT admins trying to prioritize their patching.

The attack on Rubrik happened before an emergency patch was available.

Clop hasn’t been shy about the 130 organizations it’s stolen data from thanks to the GoAnywhere vulnerability. Last week, the gang began sending out extortion emails to the victims, and adding them to its leak site. Known victims include Rubrik, Hatch Bank and Community Health Systems (CHS).

Organizations using GoAnywhere should download the security patch immediately. Fortra has also provided a technical mitigation in its advisory, which can be accessed via the company’s customer portal.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.