After a host of targets including the City of Toronto, Hitachi Energy, and P&G, the government of the Indian state of Goa became the latest victim in the mass ransomware attack initiated by threat actor group Cl0p. For this news on the Goa cyber attack, The Cyber Express is yet to receive a reply to our email requests for confirmation sent to the Goa government’s ministry of information technology and the state cyber police.
The Cl0p ransomware group has tapped a vulnerability in popular data transfer software GoAnywhere, which organizations worldwide use.
The Government of Goa, India has been breached by CL0P^_- Ransomware.
/goa.gov.in#cybersecurity #infosec pic.twitter.com/XBYD3lzxVk
— Dominic Alvieri (@AlvieriD) March 24, 2023
Goa Cyber Attack: Cl0p ransomware vs the Indian State
Cybersecurity researchers contacted by The Cyber Express confirmed that the goa cyber attack may have indeed occurred as Cl0p ransomware group has listed the government of Goa as a victim on their leak site.
It was among a list of other organizations such as The Golf Warehouse, Inter-Minerals, Atos, Globalfarm, Alto, Grupo Floraplant, and Onex. The post did not list any sample data, nor a ransom demand.
Pointing out that the group has not substantiated their claims with any proof, the researcher warned The Cyber Express that the post could be a bluff.
“The group has a history of claiming any larger entity as its victim even if the actual victim is a third-party vendor. So, these claims should be taken with that into account,” the researcher said.
In July 2022, the flood monitoring system of the state was reportedly faced a ransomware attack, with the perpetrators demanding ransom in bitcoin for decrypting the locked files.
The incident of Goa cyber attack came to light when a Goa Water Resources executive engineer, Sunil Karmarkar, filed a complaint to the Cyber Crime Cell of Goa Police, staring that its files have been encrypted and are inaccessible.
“The server has been attacked by some ransomware. All files are encrypted with an ‘eking extension’ and cannot be accessed. In a popup-and-stored file, the attackers have demanded bitcoin in exchange for decryption of the data,” read the complaint.
GoAnywhere vulnerability and the slew of cyber attacks
“GoAnywhere has a diverse install base ranging from small companies to Fortune 500 companies, as well as non-profit organizations and government entities,” read the statement on the website of its parent company Fortra.
The GoAnywhere app currently has more than 1,000 downloads on Google Playstore. The Cyber Express is yet to confirm whether the government of Goa is a customer of GoAnywhere.
Security reporter Brian Krebs reported details of the GoAnywhere vulnerability on February 2. Fortra released patches the GoAnywhere vulnerability on February 7, but the five-day gap was enough for hackers to go on a rampage.
Beginning from Community Health Systems, one of the large healthcare providers in the US, Cl0p ransomware group has listed more than 130 victims till now.
CHSPSC, a management company that provides services to the many subsidiary hospital operator companies and other affiliates of Community Health Systems, informed the Maine Attorney General’s Office, USA, on March 8 about the incident.
“Fortra informed CHSPSC it became aware of the incident the evening of January 30, 2023 and took impacted systems offline on January 31, 2023, stopping the unauthorized party’s ability access the system,” read the disclosure.
“According to Fortra, the unauthorized party used a previously unknown vulnerability to gain access to Fortra’s systems, specifically Fortra’s GoAnywhere file transfer service platform, compromising sets of files throughout Fortra’s platform.”
Hitachi, one of the high-profile victims, named the ransomware actor in its disclosure.
“We recently learned that a third-party software provider called FORTRA GoAnywhere MFT (Managed File Transfer) was the victim of an attack by the CLOP ransomware group that could have resulted in an unauthorized access to employee data in some countries,” read the company’s statement on March 17.