Cl0p names first batch of alleged MOVEit victims

The ransomware group responsible for compromising hundreds of companies by exploiting a zero-day flaw in the MOVEit file transfer platform seems to have released the names of its first batch of victims.

The Russia-linked ransom gang posted the names of almost a dozen new victims, out of the hundreds it has claimed to have breached, at the top of its dark web leak site Tuesday.

But its not entirely clear if the named victims are part of the avalanche of MOVEit zero-day bug victims, as they are not labeled as such.

A week ago today, Cl0p had warned victims they had exactly seven days to fork over its ransom demand, or the group would start to identify and leak their stolen data online.

So far, it seems none of the victims named on the Cl0p site, or any other suspected MOVEit victims, have had their data published Tuesday.

Security researcher Hüseyin Can Yuceel of Picus Security, a company that simulates the criminal activity of multiple ransom groups, like Cl0p, said based on its attack history, the group is most likely not bluffing.

“The CI0p ransomware group has claimed to have compromised more than 230 companies worldwide and says it will release exfiltrated sensitive data of their victims on their leak site,” Yuceel said.

Since the purpose of the threat is to pressure the victims into paying the demanded ransom, CI0p may not release the data in its entirety this week. Yuceel explained.

Cl0p MOVEit ransom instructions
Ramson demand instructions posted on the Cl0p dark leak site

MOVEit Transfer is a managed file transfer software system used by hundreds of companies around the world to send and receive files from their clients using secure channels.

Cl0p was able to take advantage of a zero-day flaw in the system by inserting malicious code into a company’s database servers using a method known as SQL injection.

This allowed the attackers to access and download the data stored in the databases.

MOVEit told Cybernews that the bug was patched within 48 hours, adding that it “has implemented a series of third-party validations to ensure the patch has corrected the exploit.”

Clop ransomware
Cl0p leak site

Ransomware often a no-win situation

One of the biggest challenges facing a company once they realize their systems have been breached by ransomware is how best to respond.

Unfortunately once infected, Yuceel said, there is not much that can be done.

“Even if backups are in place, ransomware groups can release their victims' sensitive data and harm their reputation, “ he said.

The US government and other law enforcement agencies almost always advise against paying a ransom demand.

The rise of double and even triple extortion ransomware attacks has proven there are no guarantees that once a company pays up, they'll actually receive the promised decryption key in the exchange.

Even if a company gets the decryption key, it may find the data irreparably damaged once restored. Additionally, the hackers, who can easily make copies of the stolen data for future use, may decide to publish or sell the stolen data anyway, even after the ransom is paid.

“We have observed that organizations known to pay the ransom are much more likely to be targeted by the same or other ransomware groups in the future,” Yuceel said.

"Ransomware payments can also perpetuate the ransomware threat and are used to fund other illegal activities," he said.

In certain countries and industry sectors, it can be illegal in some cases to even pay a ransom demand, according to Yuceel.

“In the UK, there are strict financial sanctions against making of ransomware payments to Russian ransomware organizations,” Yuceel said, for example.

“The Office of Financial Sanctions Implementation considers ransom payments as a breach of financial sanctions, which is a serious criminal offense and can carry a custodial sentence and the imposition of a monetary penalty,” he said.

If Cl0p’s claim of hundreds of victims is true, the MOVEit attack could easily overshadow the fallout from another zero-day vulnerability the group exploited earlier this year in the Fortra GoAnywhere file-sharing platform.

Procter & Gamble (P&G), Shell, Hitachi, Hatch Bank, Rubrik, Virgin, are just a handful of the dozens of victims claimed by Cl0p in the Fortra GoAnywhere attacks.