Cl0p gang claims hundreds of MOVEit flaw victims


The Cl0p ransomware gang has issued a warning, declaring that they supposedly breached hundreds of companies using the MOVEit zero-day vulnerability.

Russia-linked Cl0p ransomware is fueling the furor surrounding the recent zero-day bug that affects MOVEit Transfer’s servers. The bug allowed attackers to access and download the data stored there. MOVEit told Cybernews that the bug was patched within 48 hours, adding that it “has implemented a series of third-party validations to ensure the patch has corrected the exploit.”

“This is announcement to educate companies who use the progress MOVEit product that the chance is that we download a lot of your data as part of exceptional exploit. We are the only ones who perform such attack,” reads the gang’s grammatically challenged announcement.

ADVERTISEMENT

Earlier this week, researchers at Microsoft pinned an attack exploiting the MOVEit flaw to the Lace Tempest attacker group, known for ransomware operations and running the Cl0p extortion site.

CI0p is using the warning to intimidate MOVEit clients into contacting the gang first, rather than reaching out to them individually. Typically, ransomware gangs contact their victims to inform them they were breached.

In an attempt to avoid attention from resourceful nation-state actors, Cl0p even tried to label themselves as a “friendly” ransomware syndicate by allegedly erasing the data they’ve stolen from governments and law enforcement agencies.

However, the crooks’ seemingly altruistic behavior has its limits. They’ve promised to publish the names of their corporate victims on their dark web blog next week.

Clop ransomware

How many MOVEit victims are there?

While the true extent of the zero-day bug will be revealed in the coming days, there’s some indication that Cl0p has hit the jackpot. According to security researcher Kevin Beaumont, “there’s over 100” organizations that Cl0p has likely breached.

Meanwhile, Rick Holland, CISO of cybersecurity firm ReliaQuest, compared the recent zero-day exploit to a similar Cl0p campaign earlier this year, when the gang banked on Fortra’s GoAnywhere vulnerability. The latter allowed cybercriminals to breach around 200 companies.

ADVERTISEMENT

Holland believes that with the MOVEit breach, any organization that had compromised MOVEit servers connected to the internet should assume that it was breached.

“Organizations that have not received a ransom note shouldn’t assume they are in the clear. The threat group has likely compromised so many organizations that it may take them time to work through the victim queue,” Holland said.

At the same time, researchers at internet intelligence firm Censys said the number of exposed servers remains high, with over 3,000 hosts exposed to the internet running MOVEit.

The Attackers themselves say there are hundreds of affected companies. “We have information on hundreds of companies so our discussion will work very simple,” Cl0p said.

Who are Cl0p?

The Cl0p ransomware has been around since 2019 — a long time in the ever-changing ransomware landscape. The gang has also been at the forefront of the ransomware world, with estimated payouts reaching $500 million in November 2021.

In the same year, Ukrainian law enforcement dealt the gang a major blow, leading to several arrests and the dismantling of the gang’s server IT infrastructure. The arrests eventually forced it to shut down operations through November 2021 to February 2022. However, the gang has been steadily recovering since then.

Earlier this year, Cl0p made headlines after successfully exploiting a zero-day bug in another file transfer system, Fortra’s GoAnywhere. The gang breached numerous companies, including Shell, Hatch Bank, Bombardier, Stanford University, Rubrik, Saks Fifth Avenue, and many others.

According to Ryan McConechy, the CTO at cybersecurity firm Barrier Networks, with more organizations widening their supply chain and providing partners access to internal systems, the number of similar attacks will only grow.

“This is yet another example of a supply chain security incident where one exploited vulnerability in a system has impacted thousands of people. [...] When organizations rely on a 3rd party solution to deliver business, they outsource their security and lose visibility of whole portions of their stack,” he said.

ADVERTISEMENT

Updated [June 8, 02:20 PM GMT] with MOVEit's statement.