Cyber Incident Victim: The7Stars

The Clop ransomware gang attacked The7Stars, a London-based media agency, in an incident occurring after December 15, 2020. The agency, which reported £379.36 million in revenues for the fiscal year ending March 31, 2020, was described as the largest independently owned UK media agency, making it a high-value target. Attackers exfiltrated sensitive files including passport scans, invoices, a staff party photograph, and a data protection agreement. These files were subsequently published on Clop’s Tor leak site, a tactic typically indicating failed ransom negotiations or an attempt to pressure victims into paying. The7Stars’ clients included Atlantic Records, Suzuki, Penguin Random House, and Great Western Railway, though no evidence suggested direct compromise of client systems. The agency’s Companies House filings from December 15 made no reference to cybersecurity risks or prior incidents, indicating the attack occurred after that date.

The7Stars confirmed the ransomware attack, characterizing it as sophisticated, and restored its systems from backups. It launched an investigation, notified police, and engaged with clients to provide support following the data leak. The UK Information Commissioner’s Office (ICO) acknowledged receiving a breach report and initiated enquiries. Clop, identified as a CryptoMix variant linked to Dridex banking trojan operators, historically targeted enterprises with multimillion-pound ransom demands, as seen in prior attacks against Software AG, Prominent, and ExecuPharm. The gang’s aggressive approach included preemptive data leaks to incentivize payments, though The7Stars did not disclose whether a ransom was demanded or paid. Financial disclosures showed the agency generated £426 million in gross billings and £2.1 million net profit during the affected fiscal year, with no reported operational disruptions or direct client impacts from the incident.