Ransomware continues to be a profitable business for cybercriminals and given the massive hacks that have been divulged recently, this will continue into the foreseeable future. The primary motivational tactic in a ransomware attack is fear; fear of losing your data, of your company shutting down, of your corporate reputation being tarnished, and now we can add to the list: the fear of the attackers going after your valuable customers. In what appears to be a new scare tactic, ransomware gangs are now directly going after a company’s customers and partners by emailing them and making them paying pricey ransom demands in order to regain their data.

This message was recently sent to customers of RaceTrac Petroleum, an Atlanta company that operates more than 650 retail convenience stores in 12 US states.

This screenshot was taken by the Clop ransomware gang. It reads “Good Day! If you received this letter, you are a customer, buyer, partner or employee of [victim]. The company has been hacked, data has been stolen and will soon b released as the company refuses to protect its people’s data. We inform you that information about you will be published on the darknet [link to dark web victim shaming page] if the company does not contact us.” “Call or write to this store and ask to protect your privacy!!!”

The Clop ransomware group recently copied several gigabytes of company files, including tax and financial records as well as important customer data. The attackers were able to breach a firewall product made by Accellion Inc and gain access to RaceTrac’s valuable data. This product is also used by other industry giants such as Shell and Qualys.

RaceTrac posted to their blog recently saying “By exploiting a previously undetected software vulnerability, unauthorized parties were able to access a subset of RaceTrac data stored in the Accellion File Transfer Service, including email addresses and first names of some of our RaceTrac Rewards Loyalty users. The incident was limited to the aforementioned Accellion services and did not impact RaceTrac’s corporate network. The systems used for processing guest credit, debit and RaceTrac Rewards transactions were not impacted.”

The same ransomware gang also attacked the University of Maryland, Standford Medicine at the Stanford University, and the University of California.

Who is Clop?

At the end of the day, it doesn’t really matter who Clop is because once a flaw is discovered, it can be exploited by a host of cybercriminal organizations. Clop is one of several ransomware groups who will demand two ransoms. One is for a digital key needed to unlock computers and data from file encryption, and the second is to avoid having stolen data published or sold online. This seems to be the way that Clop, REvil (and several other cybercriminal organizations) try to maximize their profits on a hacking campaign and rest assured, more criminals will follow suit if any ransom demands met. The US Treasury Department recently put a ban on ransomware payments which was supposed to slow down the spread of this type of attack, but unfortunately, it continues unabated. The market is just too enticing with all of the connected services and the vast treasure trove of public cloud accounts ripe for the picking. The recent breach of nearly 533 million Facebook user profiles will give attackers valuable ammunition for years to come. Expect more pressure to be put on victim’s clients and social relationships.

As with all things related to cybersecurity, dedication and vigilance is key to maintaining proper security on a network. To learn more about this, see our previous article here.