Cl0p dumps all MOVEit victim data on clearnet, threat insiders talk ransom strategy
In what could be seen as a bold move or a sign of desperation, the Cl0p ransomware group has made good on its August 15th promise to publish the files of all its victims if contact was not made by the latest deadline. Does this mean the MOVEit fiasco is finally winding down? Cybernews gets the 411 on Cl0p strategy from two threat intel leaders during Black Hat.
Unless you’ve been living under a rock or are new to the world of IT security, this past May, the Cl0p ransom gang was able to infiltrate and steal sensitive data from hundreds of companies worldwide – for the second time this year – with its zero-day exploit of the commonly used MOVEit file transfer system.
In a ransomware saga that spanned most of the summer, the Cl0p gang has been slowly leaking the names of its corporate victims, threatening to and often then publishing bits and pieces of the stolen files, seemingly without rhyme or reason.
It’s been a steady stream of major names from all industry sectors, including Shell Global, PWC, Deutsche Bank, TD Ameritrade, Johns Hopkins University, Shutterfly, Radisson Hotels, Honeywell, and Siemens Energy, to name just a few.
Some companies have gone public, announcing their victimhood right away, while others have stayed mum, leaving us in the media wondering which organizations may be quietly negotiating with the ransom group and paying undisclosed sums in exchange for their compromised data.
With this latest Cl0p dump, it looks like that mystery is finally coming to a head.
Follow along as Cybernews breaks down the gang’s latest moves, past and present, with Flashpoint’s President and VP of Intelligence, Donald Saelinger and Steven Weinstein, whom we met with at this year’s Black Hat.
Las Vegas or bust, Cl0p throws all in
Ironically, the day I met Saelinger and Weinstein in the final moments of the Black Hat convention to talk about Cl0p, was the same day the ransom gang announced the new August 15th deadline on its dark leak site.
Was it also ironic to think the ransom group would purposefully announce its latest extortion tactic knowing that thousands of the industry's top gurus would all happen to be in the same city, attending the biggest and most well-known corporate cybersecurity event of the year?
Weinstein doesn’t think so, he believes Cl0p, like every entity, is just trying “to stir up any sort of buzz. They're building their brand and the more notoriety they get, the higher the risk is.”
The VP also speculates the hard deadline was most likely a last-ditch effort by the gang to “get any other additional information out or extortion payments from the last holdout of victims, before maybe starting to coast back into standard [Cl0p] business.”
The notorious threat actors have repeatedly shifted strategies since presenting its first threat deadline to victims on June 14th.
Still, Cl0p waited a full 24 hours to make good on that threat, publishing the data of its first victim, Shell Global – who had been already compromised in another Cl0p zero-day exploit this past spring – the next day.
The March attack (on the comparable Fortra GoAnywhere file management system) compromised roughly 130 organizations, less than one-quarter of the number of MOVEit victims identified so far.
Those shifts in tactics, as noted by Weinstein, included first releasing the names of its victims on a daily basis, then switching to releasing a couple at a time, and then waiting a week to drop 50 or 60 new victims all at once.
"Each of those times when there's been a week in between, or they change something, we're like, okay, maybe this shift in TTPs (tactics, techniques, and procedures) signifies we're getting towards the end," Weinstein explained.
But, he added, “It's been wishful thinking.”
The latest Cl0p missive from the self-proclaimed “reasonable operators” was posted on its home page that morning:
“Now we post many company name and proof we have their secrets and data. Some company do not speed to us and decide to stay quiet,” the post began.
“We are very reasonable operators and when right situation we offer deep discount to block you data from being sold and publish. Advice you to contact us and begin discussion on how to block publicate of data.”
“On 15 August we start publishing of every company on list that do not contact. You data is going to publishing on clearweb and Tor and for large company we also create clearweb URL to help google index you data.”
“Also all data go on torrent and speed of download is very quick. YOU NOT HIDING MORE,” the post ended.
Cl0p's lesson in customer service
Part of Cl0p’s most successful strategy came about on July 19th when the gang decided to move its published victim files to the clear web via direct links that could be downloaded on the ‘semi-legal’ Torrent file sharing platform.
Pricewaterhouse Coopers (PWC) was the first victim to get its own personalized clear web link after apparent negotiation breakdowns, which must have yielded positive results, as Cl0p now has made Torrent links for all the victim organizations it stole large caches from.
According to the Flashpoint president, Cl0p’s technical limitations seemed to be negatively impacting the gang’s ability to actually deliver on its threats successfully.
“The extortion economy only really works if you can deliver on the extortion threat,” Saelinger said.
Noting that the group is no longer even bothering to encrypt its files and going straight for the payout jugular, so to speak, Weinstein said the creation of the Torrent magnet links was really just to make the data downloads faster.
“Clearly, they're trying to put a little bit more muscle behind their threats, given the instability of their Onion infrastructure. There have been significant challenges associated with actually downloading incomplete files, and I think that inherently lowers a little bit of the risk for the victims,“ Weinstein said.
“We're a fairly sophisticated threat intelligence company, and it's a challenge for us to download these things, extract the data, and then search through them, just because it's all unstructured data,” Weinstein continued.
Before Cl0p began creating the Torrent links, the gang would “goal post a list of a hundred different parts” for each victim.
“To extract it all, these are multi-part ZIP files that they are splitting into a hundred different pieces. And, you have to combine them all back together. And that means you have to have every single piece of those 100 parts downloaded; otherwise, it won't extract properly,” Weinstein said.
The regularly documented outages on Cl0p’s Onion infrastructure – exacerbated by the heavy uptick in visitors to the site – most likely contributed to Cl0p moving over to the clearnet, Weinstein believes, even if to provide better download speeds.
"The magnet links for the Torrents and faster speeds make it easier to download in bulk. The data is split into smaller chunks that hold up against the instability of the infrastructure," the VP explained.
Essentially, creating faster download speeds, increases the threat to the organization.
“You know Cl0p prides themselves on customer service, they’ll make it way faster and easy for you,” Weinstein said wryly.
Other strategic ransomware tidbits
When it comes to Cl0p’s signature double extortion strategy (encrypt first, then threaten to publish) and the nature of the ongoing, larger, MOVEit-related attack, the group may simply be "overwhelmed with the number of victims that they have," Saelinger said.
“How quickly can they make money out of those victims, it's just one less step in the process. It'll be interesting to see if they go back to the point where they are encrypting,” he said.
"We don't have a crystal ball, but one option is that Cl0p goes back to a more traditional ransomware approach, and we'll also be monitoring to see if other ransomware groups move towards this," Saelinger noted.
While Cl0p seems okay with stringing victims along, "they want to make as much money as they can. That's really what's driving this extortion, the economy,” Weinstein said.
The two also believe there is something unique about the nature of MOVEit as software when compared to other types of software.
Particularly, Saelinger said, because there seems to be a disproportionate number of professional services firms that were impacted.
“And, that speaks specifically to the supply chain risk that comes with vulnerabilities in certain types of data, storage, intensive software,” Saelinger explained.
“It's one of the many reminders we’ve had in the last few years that first party risk is a significant problem, and then in second and third party supply chain risk, where companies are really close,” he continued.
The Flashpoint President said ransomware gangs “continue to go after these potential, big fish players in the supply chain of these large organizations. Find one new vulnerability and hit a large swath of victims.”
The two say software, like 'MOVEit Transfer,' is often used by professional services type companies or financial organization, making it easy to be leveraged by these gangs.
“It’s a file transfer software so it natively it has access to files that were intended to be shared in a sensitive manner. That was really a jackpot," Weinstein said.
The end or the beginning?
According to the intel insiders, the million dollar ransom question on most security professionals mind is, "When is this all going to end?"
“When do we see Cl0p make a shift back to whatever normal order of business actually looks like for them, and how do we denote that something has changed?” Weinstein poses the question.
To make an assessment on historical data is difficult, Weinstein said, given there have been volumes of victims being reported over consistent given periods of time.
“This is obviously not Cl0p’s first rodeo, they've been doing this for quite some time. On their leak site, it's not like they're labeling this victims, it's quite a challenging,” he said.
Meantime, the two Flashpoint exec’s say they’ve been supporting a large volume of customers concerned about their exposure.
“They are keenly aware of the number of victims, and I think the broad scope of impact of the MOVEit vulnerability gives such a heightened sense of attention and focus from all our customers,” they said.
“Everybody's really kind of wondering where's the light at the end of the tunnel, and unfortunately we don't really have particularly a good answer for that.”
More from Cybernews:
Subscribe to our newsletter