Cyber Incident Victim: Grupo Vanti
Date:
Jan 2023
Location:
Colombia
Summary
A ransomware attack exploiting a vulnerability in Fortra's GoAnywhere file transfer software impacted numerous organizations globally, including Colombian energy company Grupo Vanti. The Russia-linked Clop gang claimed compromise of approximately 130 entities, stealing sensitive data such as employee information, tax documents, and healthcare records from victims across multiple sectors. While some organizations confirmed data exfiltration affecting millions of patients and internal systems, others denied substantive breaches or maintained that only test data was accessed. The attackers leveraged stolen data for extortion by threatening public leaks via their dark web portal. Grupo Vanti was identified as a GoAnywhere user but did not publicly confirm or detail any compromise during initial reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
A mass-ransomware attack exploiting a vulnerability in Fortra’s GoAnywhere secure file transfer tool impacted numerous organizations globally between late January and early February 2023. The Russia-linked Clop ransomware gang claimed responsibility, asserting it had compromised data from 130 organizations using the software. The exact start date remains unclear, but the vulnerability’s existence was first publicly disclosed by security researcher Brian Krebs on February 2, after Fortra had concealed patch details behind a login portal. Fortra released security fixes on February 7, but by then, attackers had already exfiltrated data from multiple victims. Clop gradually added victim names to its dark web leak site, using stolen data to extort payments. The attack vector involved exploiting a zero-day flaw in GoAnywhere, which could be cloud-hosted or on-premises, enabling unauthorized access to file transfer systems.
Confirmed victims included healthcare provider Community Health Systems, which reported the theft of 1 million patients’ health data; Hatch Bank, which acknowledged a breach; and cybersecurity firm Rubrik. Other organizations, such as Investissement Québec and Hitachi Energy, confirmed employee personal information was stolen via Fortra’s compromised systems. The City of Toronto initially denied data exfiltration on March 20 but revised its statement on March 23, confirming unauthorized access through its GoAnywhere instance. Clop leaked samples of stolen data from Onex, including tax forms, payment records, and employee details. Some listed organizations, including AvidXchange and Saks Fifth Avenue, disputed the severity, asserting only non-sensitive test data or externally hosted files were accessed. Colombian energy company Grupo Vanti was identified as a GoAnywhere user but did not respond to multiple requests for comment, leaving its breach status unconfirmed. Fortra declined to disclose affected customers or confirm whether its own systems hosting client data were compromised. By March 22, Clop had publicly listed fewer than half of the 130 claimed victims, with ongoing investigations by impacted entities and inconsistent public disclosures obscuring the full scope.