Ransomware group Clop issues extortion notice to ‘hundreds’ of victims
Potentially hundreds of companies globally are being extorted by the Clop ransomware group after it exploited a vulnerability in the file transfer tool MOVEit to break into computer networks around the world and steal sensitive information.
Clop, which Microsoft warned on Sunday was behind the attempts to exploit MOVEit, published an extortion note on Wednesday morning claiming that “hundreds” of businesses were affected and warning that these victims needed to contact the gang or be named on the group’s extortion site.
The gang’s post had an initial deadline of June 12, after which the criminals said “we will post your name on this page,” although the date was later pushed back to June 14. The reason for the delay was not given, although as noted by the BBC’s Joe Tidy, June 12 is a national holiday in the Russian Federation.
The extortion note states, in poor English:
Step 1: If we do not hear from you until June 14 2023 we will post your name on this page.
Step 2: If you receive chat URL go there and introduce you
Step 3: Our team will provide 10% proof of data we have and price to delete
Step 4: You may ask for 2-3 files random as proof we are not lying
Step 5: You have 3 day to discuss price and if no agreement you custom page will be created
Step 6: After 7 days all you data will start to be publication
Step 7: You chat will close after 10 not productive data and data will be publish
Independently of Clop’s claims, it is not known how many companies globally have been affected by the hacking campaign. Last Thursday, security researchers identified more than 2,000 instances of the tool exposed to the public internet, with the majority in the United States.
There were 128 instances of MOVEit Transfer exposed to the internet from the U.K., although the number of companies impacted by the incident may be much higher.
The compromise of a single company using the tool, a payroll services provider called Zellis, has already been blamed for hackers compromising at least four businesses operating in Britain and Ireland, including the BBC, British Airways, Boots and Aer Lingus.
The U.S. Cybersecurity and Infrastructure Security Agency issued an advisory on Wednesday regarding Clop's campaign to exploit the MOVEit service, warning the gang had historically “compromised more than 3,000 U.S.-based organizations and 8,000 global organizations.”
The Nova Scotia government and the University of Rochester are the first victims to be identified in North America.
Clop had earlier this year conducted a similar attack exploiting a vulnerability affecting Fortra’s GoAnywhere file transfer product, which the group said allowed it to steal data from more than 130 companies, governments and organizations.
Cybersecurity expert Kevin Beaumont and several other researchers warned that dozens of state and federal agencies in the U.S. appeared to be MOVEit users, potentially exposing troves of sensitive documents. In its post on Wednesday, Clop stated: “If you are a government, city or police service do not worry, we erased all your data. You do not need to contact us. We have no interest to expose such information.”
There is a significant risk for ransomware groups in attracting too much law enforcement attention. One of the criminal scene’s most prolific groups, Babuk, shut down in 2021 after compromising the District of Columbia’s police department and threatening to leak sensitive files exposing investigations and informants.
Alexander Martin
is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.