The Cl0p Ransomware Gang's Attack on Group AMANA

The Cl0p ransomware gang has attacked Group AMANA. Group AMANA is a UAE-based industrial and commercial design-build construction company. It specializes in fast-track, turnkey construction of commercial, industrial, and institutional low-rise facilities. Cl0p posted Group AMANA to its data leak site on March 8th but provided no further information.

Understanding Cl0p's Threat

Cl0p is a major Ransomware-as-service (RaaS) platform first observed in 2019. Cl0p is a dangerous ransomware family because it has advanced anti-analysis capabilities and anti-virtual machine analysis to prevent investigations in an emulated environment like those commonly used by security tools. Cl0p is one of just a handful of threat actors that have developed a Linux version.

While Linux has a tiny footprint in desktop computing, it runs ~80% of web servers and a substantial portion of embedded devices used in the healthcare field – and this means that Cl0p is likely actively recruiting new talent to help improve their platform and expand the scope of what and whom they can attack.

Cl0p's Expanding Threat

Cl0p also exfiltrates data to be leveraged in double extortion schemes and has recently claimed responsibility for attacks against over 130 organizations – some outside the healthcare sector - using a zero-day vulnerability in secure file transfer software GoAnywhere MFT.