An individual or group of people claiming to be working with the Clop ransomware has been sending extortion emails to executives at several organizations since September 29, according to Google.
The threat actor also claims to have stolen sensitive data from its target Oracle E-Business Suite.
Researchers at Mandiant and Google Threat Intelligence Group (GTIG) are investigating a case but have not yet gathered enough evidence to substantiate the individual’s claims.
Charles Carmakal, CTO of Mandiant at Google Cloud, commented: “We are currently observing a high-volume email campaign being launched from hundreds of compromised accounts.”
His team’s initial analysis confirms that at least one of these accounts has been previously associated with activity from FIN11, a long-running financially motivated threat group known for deploying ransomware and engaging in extortion.
“The malicious emails contain contact information, and we’ve verified that the two specific contact addresses provided are also publicly listed on the Clop data leak site (DLS). This move strongly suggests there’s some association with Clop and they are leveraging the brand recognition for their current operation,” Carmakal added.
However, he noted that this doesn’t necessarily means Clop is involved or even aware of the campaign.
“Attribution in the financially motivated cybercrime space is often complex, and actors frequently mimic established groups like Clop to increase leverage and pressure on victims. We recommend targeted organizations investigate their environments for evidence of threat actor activity,” he concluded.