The MOVEit data theft attacks have caused the Clop ransomware gang to start extorting businesses, first posting the names of the businesses on a data leak website—a common strategy before releasing stolen data to the public.
These entries were published after threat actors stole server-stored files on May 27th by using a zero-day vulnerability in the MOVEit Transfer secure file transfer platform.
The Clop gang claimed responsibility for the attacks, stating that they had compromised “hundreds of companies,” and that if negotiations did not take place by June 14th, their identities will be added to a data dump site.
Threat actors claim they will start publishing stolen data on June 21st if an extortion demand is not satisfied.
Clop starts blackmailing businesses.
The Clop threat actors mentioned thirteen businesses on their data breach website yesterday, but they made no mention of whether they were connected to the MOVEit Transfer operations or whether they were ransomware encryption attacks.
Since then, one of the businesses—Greenfield CA—has been taken off the list, which suggests that either the listing was inaccurate or that talks are ongoing.
The University of Georgia (UGA) and University System of Georgia (USG), Heidelberger Druck, Landal Greenparks, UnitedHealthcare Student Resources, and the British multinational oil and gas company Shell have all since confirmed that they were impacted by the MOVEit attacks to varying degrees.
Landal informed that the names and contact details of roughly 12,000 guests were accessible by threat actors, despite Shell’s claim that only a limited number of staff and clients were affected.
According to statements made, the University System of Georgia, the University of Georgia, and UnitedHealthcare Student Resources are all still looking into the attack and will reveal any security flaws they find.
Heidelberger Druck, a German printing company, told that although they use MOVEit Transfer, their study shows that no data breaches resulted from it.
Previously reported data breaches
Other organisations that have already disclosed MOVEit Transfer breaches include Zellis (via Zellis, BBC, Boots, and Aer Lingus, as well as Ireland’s HSE), the University of Rochester, the government of Nova Scotia, the US states of Missouri and Illinois, BORN Ontario, Ofcam, Extreme Networks, and the American Board of Internal Medicine.
In previous attacks that used zero-day flaws in managed file transfer software from SolarWinds, Accellion, and GoAnywhere, threat actors demanded $10 million in ransom payments to stop data leaks.
According to information obtained, the extortion scheme used by the GoAnywhere extortion attempts was not very successful, with businesses choosing to reveal data breaches rather than pay a ransom.
According to a CNN article from today, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which collaborates with multiple U.S. federal agencies, was also compromised using the MOVEit zero-day vulnerability. According to Federal News Network, two U.S. Department of Energy (DOE) organisations were also infiltrated.
The threat actors behind Clop, however, previously disclosed that they erase any data taken from the government.
The ransomware operation reportedly stated, “I want to inform you right away that the military, children’s hospitals, GOV, etc. like this we no to attack, and their data was erased.”
Sadly, after data has been stolen, there is no way to verify that it has been erased as promised, so it should be assumed that it is still at risk.
Install NPAV on your systems to ensure best-in-class security against malware and ransomware attacks. Use NPAV and join us on a mission to secure the cyber world.