The Cl0p Ransomware Gang Attacks Mary Kay

Mary Kay Inc. is a well-known American multi-level marketing (MLM) company that primarily sells skincare and cosmetics products. It was founded by Mary Kay Ash in 1963. The company is headquartered in Addison, Texas, USA. Mary Kay's business model involves recruiting individuals, often referred to as "beauty consultants," who become independent representatives of the company. These representatives then sell Mary Kay products directly to consumers, often through in-person demonstrations, parties, and events. Representatives can also recruit new consultants and earn a portion of their recruits' sales, forming a hierarchical structure typical of MLMs.

Cl0p posted Mary Kay to its data leak site on July 12th but provided no further details. Cl0p is a RaaS platform first observed in 2019. Clop has advanced anti-analysis capabilities and anti-virtual machine analysis to prevent investigations in an emulated environment like those commonly used by security tools. Cl0p is increasingly using automation to exploit known vulnerabilities to infiltrate targets, as well as a SQL injection zero-day vulnerability (CVE-2023-34362) that installs a web shell – a rarity amongst ransomware operators.

Impact of Cl0p's Attacks

Attacks by Cl0p surged in Q1 of 2023 as the gang leveraged patchable exploits for the GoAnywhere file transfer software to compromise more than 100 victims in a matter of weeks, although it is unknown how well they were able to monetize the attacks. Cl0p is likely to be leveraging automation to identify exposed organizations who have not patched against known vulnerability, which is why we are seeing so many new victims.

Ransom demands vary depending on the target and average around $3 million dollars but have been reported as to be as high as $20 million. Ransom amounts are likely to continue to grow as Clop focuses more on the exfiltration of sensitive data.