Cl0p’s MOVEit Transfer attacks will spur copycats


Cl0p has taunted Deutsche Bank, Shell, PWC, and hundreds of others. The MOVEit Transfer exploit unleashed a tsunami of breaches, and experts fear the gang’s success will inspire others to follow.

The sound of high-fives likely echo in the dark-lit rooms where masterminds behind the Cl0p ransomware gang dwell: the MOVEit Transfer zero-day exploit has netted the crooks hundreds, if not thousands, of victims to prey on.

At the time of writing this article, nearly 400 organizations have been confirmed to be impacted by Cl0p’s attacks, with over 20 million people having their data exposed. With little hope of anyone stopping the Russia-linked gang, the victim count will likely increase several-fold.

ADVERTISEMENT

Experts who we’ve spoken to about Cl0p’s campaign see the gang’s developing tactics, with the cartel increasingly acting like a rogue data broker. Meanwhile, others point to the gang’s morbid sense of humor, toying with victims just for the sake of it.

“It’s important to keep in mind that ransomware groups are criminals who often enjoy tormenting their victims. They also find “humor” in causing panic and chaos within cyberspace. Therefore, the reason behind this behavior could be a very simple one – they are doing it for the LOLZ.”

Castellanos said.

Success breeds success

The wave of attacks showcases a nearly perfect supply-chain hack, where just one software exploit opened the doors to thousands of companies, Karim Hijazi, cybersecurity expert and managing director of SCP&CO, says.

“This type of force multiplication attack will inspire many other threat actors around the world to identify similar ecosystems and exploit them,” Hijazi told Cybernews.

Through the eyes of criminals, it’s hard not to see the campaign as a wild success. JP Castellanos, director of threat intelligence for Binary Defense, says that, given the average ransom payout is over $250,000 and over 200 organizations have been impacted so far, “if only 10% of those affected paid the ransom, it’s possible that the group has generated several million dollars already.”

Meanwhile, the gang’s dark web blog, a place to showcase its latest victims, is updated almost daily with the names of globally famous brands. Shell Global, TomTom, Pioneer Electronics, Shutterfly, ING Bank, Sony, Siemens Energy, and many others have been listed, with many more likely to come.

The ever-growing victim list points to how severe a supply chain attack can get, Tyler Hudak, incident response practice lead at TrustedSec, thinks.

ADVERTISEMENT

“I predict we will see more wide-scale data breach extortion attacks in the future that will replicate key elements of the current campaign,” Hudak said.

Cl0p victims 9
Some of Cl0p's victims. Image by Cybernews.

Playing the slow game

It’s been nearly six weeks since Cl0p began listing affected organizations, and the gang is in no rush to end the campaign. Hudak thinks that the crooks might be playing for time to prepare a second wave of extortion campaigns.

So far, the main focus was organizations who used MOVEit Transfer servers to store data. However, many companies used these servers to store their clients’ data.

“It’s not outside the realm of possibility that Cl0p will start aggregating the stolen data and contacting all those secondary victims to request payment,” Hudak said.

Interestingly, the way Cl0p conducted the recent campaign indicates a shift in attack patterns. While the gang is known for ransomware campaigns, where the main goal is to demand payment for decrypting data, the MOVEit attacks resemble the actions of a data breach dealer.

Hijazi fears that Cl0p and other cybercriminal groups will start coupling supply chain attacks with AI tools to increase the scale even further. Gangs like Armageddon have already begun using automation to exfiltrate data mere minutes after the initial compromise, with the decision on who to target likely made by an AI tool.

“I predict we will see more wide-scale data breach extortion attacks in the future that will replicate key elements of the current campaign.”

Hudak said.

Toying with victims

ADVERTISEMENT

Cl0p’s conduct has raised some eyebrows, with victim organizations appearing and quickly disappearing from its dark web blog. While this could mean a victim paid the ransom, Hijazi thinks the crooks could be listing and delisting victims to advertise them to other criminal groups.

“The most obvious reason is that Cl0p is selling exclusive rights to other criminal groups for a specific victim. […] Even if companies pay the ransom, there is still a strong chance that their information will be sold to other criminal groups – or retained by the original extortionists for future usage,” Hijazi explained.

The gang could also simply try to push the victim into paying. According to Hudak, by posting the organization’s name, criminals show the victim that they’re willing to publicly humiliate them if they don’t start negotiating a ransom.

The move could also be a cruel joke from an arrogant criminal group. Castellanos’ team has been observing Cl0p’s conversations in underground forums, finding it difficult to deduce what motivates gang members to behave one way or another.

“It’s important to keep in mind that ransomware groups are criminals who often enjoy tormenting their victims. They also find “humor” in causing panic and chaos within cyberspace. Therefore, the reason behind this behavior could be a very simple one – they are doing it for the LOLZ,” Castellanos told Cybernews.

What is Cl0p?

The Russia-linked gang goes by a few different names. People in the cyber industry know the syndicate as TA505, Lace Tempest, Dungeon Spider, and FIN11. The reason behind the many names is simple – the gang is quite old. It was first observed in 2019.

Like many other established players, Cl0p typically operates under the Ransomware-as-a-Service (RaaS) mode, which means it rents the software to affiliates for a pre-agreed cut of the ransom payment.

In 2021, Ukrainian law enforcement dealt the gang a major blow, leading to several arrests and the dismantling of the gang’s server IT infrastructure. The arrests eventually forced it to shut down operations from November 2021 to February 2022. However, the gang has been steadily recovering since then.

Exclusive information, vetted by Cybernews, indicates that at least some of Cl0p’s affiliates might be residing in Kramatorsk, a Ukrainian city in the country’s embattled east. US officials are offering a $10 million bounty on the Cl0p gang.

ADVERTISEMENT