Fortra GoAnywhere Data Breach Lawsuits Get ConsolidatedClop Ransomware Group Held Data Stolen From File Transfer Servers to Ransom
First come ransomware groups' supply chain attacks; next come the data breach lawsuits.
One closely watched set of class action lawsuits centers on Minnesota-based Fortra, maker of the GoAnywhere Managed File Transfer platform. In January 2023, Russian-speaking digital extortion group Clop, aka CL0P, group, exploited a zero-day vulnerability in the software to steal data from what it claimed were more than 130 victims over the course of 10 days.
The U.S. Judicial Panel on Multidistrict Litigation this week said dozens of data breach lawsuits that name Fortra as a defendant, tied to Clop's supply chain attack against its software, have been consolidated into a single case in the Southern District of Florida, where more cases were pending than in any other district. Bloomberg Law first reported the news.
"Plaintiffs are individuals whose protected health information or personal identifying information was potentially compromised," the panel said.
The move to consolidate the lawsuits in Florida was supported by multiple defendants, including Aetna, Community Health Systems and Brightline as well as by Fortra, the panel said. Some defendants opposed the move, including Anthem Insurance Companies, which faced a single lawsuit in the Southern District of Indiana.
The stated rationale for centralizing the lawsuits is the immense amount of overlap between them and the desire to efficiently support everyone involved, including witnesses and judicial resources, the panel said. Defendants also overlapped in many of the cases. Brightline works with commercial insurance carriers, employers and consultants to provide services to their members, and one of its clients is Aetna. Other lawsuits name NationsBenefits, a supplementary benefits company that is one of Aetna's vendors.
"All actions can be expected to share common and complex factual questions surrounding how the Fortra GoAnywhere vulnerability occurred, the unauthorized access and data exfiltration, and Fortra's response to it, which impacted all the various downstream defendant users of the file transfer software and individual plaintiffs," the panel said.
Zero-Day Attack Against GoAnywhere MFT
The Clop group's attacks against users of the Fortra GoAnywhere software appeared to involve only data exfiltration. "Lateral movement into the victim networks from the GoAnywhere MFT was not identified, suggesting the breach was limited to the GoAnywhere platform itself," the U.S. Cybersecurity Infrastructure and Security Agency said.
"Over the next several weeks, as the exfiltrated data was parsed by the group, ransom notes were sent to upper-level executives of the victim companies, likely identified through open source research," CISA said. "The ransom notes threatened to publish the stolen files on the CL0P data leak site if victims did not pay the ransom amount."
Clop's Supply Chain Hits
Clop doubled down on targeting secure file transfer software. Instead of forcibly encrypting file transfer servers and demanding a ransom to decrypt them, the group steals the data and extorts victims by threatening to release it. As a result of such attacks, security experts have recommended that all file transfer software users use multifactor authentication to protect their systems and minimize the amount of time they leave data on such servers (see: Hackers Hit Secure File Transfer Software Again and Again).
So far, Clop has launched supply chain attacks against managed file transfer software platforms built by four vendors.
- Accellion: On Dec. 23, 2020, Clop began stealing data from Accellion File Transfer Appliance users and holding it to ransom.
- Serv-U: In November 2021, Clop exploited a vulnerability in SolarWinds Serv-U Managed File Transfer and Secure FTP software.
- GoAnywhere: Clop exploited Fortra's GoAnywhere managed file transfer software starting on Jan. 25, 2023 and stole data from at least 130 victim organizations before Fortra patched the flaw on Feb. 7, 2023.
- MOVEit: Over the course of several days in late May 2023, Clop exploited a zero-day vulnerability in Progress Software's MOVEit file transfer software to steal data that users were sharing via the software. While the vendor rapidly issued a security alert and patch, security firm Emsisoft said the data theft affected over 2,700 organizations and 94 million individuals.
Key to Clop's success has been its ability to discover or purchase exploits for zero-day vulnerabilities in the products that allow it to rapidly execute these attacks, amassing numerous victims.
This innovative approach has resulted in massive profits for the group, which last year totaled over $100 million in ransom payments from victims, equal to about 10% of all known ransomware earnings for the year, according to blockchain analytics firm Chainalysis (see: Record-Breaking Ransomware Profits Surpassed $1B in 2023).
Other Lawsuits Arising
Clop's other attacks have also led victims to file data breach lawsuits against the vendors and other defendants.
Progress Software, based in Burlington, Massachusetts, has been named in dozens of lawsuits that were filed last year after the MOVEit software breach. Those lawsuits have since been consolidated.
In October 2023, thanks to a multidistrict litigation panel ruling, Progress Software told investors that "58 class action lawsuits filed by individuals who claim to have been impacted by the exfiltration of data from the environments of our MOVEit Transfer customers" had been consolidated into a single lawsuit in Massachusetts federal court.
The attacks targeting software built by San Mateo, California-based Accellion - now known as Kiteworks - began in late 2020 and led to 26 legal actions, which the panel reviewed and declined to centralize.
Some defendants in the Fortra GoAnywhere data breach lawsuits who opposed centralization cited the panel's Accellion decision. Responding to those arguments, the panel this week said the cases differed in notable ways: Many of the defendants in the Accellion cases argued against centralization and already had informal arrangements in place to cooperate. Also, the Accellion attack lawsuits arose "from a breach of a 'legacy' file transfer appliance that Accellion allegedly had encouraged its customers to migrate away from."
The panel said: "As in Accellion, there may be allegations specific to each defendant's role in the breach of a particular plaintiff's data. But this litigation - regardless of whether Fortra is named as a defendant in a particular case - poses significant questions about Fortra's role in the ultimate exploitation of the GoAnywhere vulnerability."