Clop names PWC, Ernst & Young, and Sony in MOVEit hack


The Cl0p ransom gang has released the names of four new victims in the MOVEit hacking spree – including multi-media conglomerate Sony, and two major accounting firms, PricewaterhouseCoopers (PWC) and Ernst & Young (EY).

The companies were revealed on Cl0p’s darkweb leak site Thursday afternoon – the last four names in a growing list of MOVEit victims released by the gang, now totaling 49.

The Pennsylvania policy lifecycle management provider, Andesa Services, rounded out Thursday's victim list.

ADVERTISEMENT

If true, it’s a big get for the Russian-linked ransomware gang, as PWC and Ernst & Young are two of the world’s ‘Big Four’ accounting firms, responsible for auditing more than 80% of all US companies, according to industry experts.

“On 31 May software company Progress confirmed their MOVEit file transfer product contained a critical vulnerability. We immediately launched an investigation into our use of the tool and took urgent steps to safeguard any data,” Ernst & Young said in a statement sent to Cybernews.

“We have verified that the vast majority of systems which use this transfer service across our global organization were not compromised,” EY said.

The London-based accounting firm said it is now “manually and thoroughly investigating systems where data may have been accessed.”

“Our priority is to communicate to those impacted, as well as the relevant authorities and our investigation is ongoing,” EY said.

PWC, Ernst & Young, Sony, Cl0p victims
Cl0p leak site

Also headquarterd in London, PWC is considered the second largest accounting firm in the world, followed by EY, sandwiched in between top performers Deloitte and KPMG International.

Cl0p is now claiming to have stolen more than 121GB of information from PWC, as well as company archives.

ADVERTISEMENT

Ernst & Young is alleged to have had only 3GB of data plus archives stolen by the gang.

“The company doesn't care about its customers, it ignored their security!!!.," Cl0p posted on each of the company's individual leak pages.

So far, Cl0p has not posted any details about stolen data possibly exfiltrated from Sony or Andesa.

PWC data published Cl0p
Cl0p leak site

Victims continue to be named

Cl0p – who is said to have exploited the MOVEit zero-day bug via SQL database injection – threatened to release the names of its victims, and publish their stolen data, if they did not fork over a ransom demand by June 14th.

Cl0p has posted specific details on its darknet site instructing its victims how to proceed to get their data back and avoid public embarrassment.

The next day, Cl0p began to slowly leak the names of its victims – reported to be in the hundreds.

Other big names claimed in the MOVEit file transfer system: the BBC, Boston Globe, Norton LifeLock, Telos, and several US federal agencies, including the US Energy Department.

post by Cl0p
Cl0p leak site

Shell Global became one of the first victims to be identified and have its data published by the group as promised on June 15th.

Shell had confirmed to Cybernews some systems were minimally impacted in the MOVEit attack, also revealing to our team that Shell had “not engaged with the Cl0p gang" in any type of negotiations.

ADVERTISEMENT

It’s the second time the oil and gas giant has been impacted in a hack claimed by the ransom gang.

In March Shell fell victim to another Cl0p zero-day attack claiming at least 130 victims.

In that attack, the gang exploited a vulnerability in the comparable Fortra GoAnywhere file management system.

If Cl0p’s claim of hundreds of victims is true, the MOVEit attack could easily overshadow the fallout from the Go Anywhere breach.

Meantime, the Tokyo-headquartered Sony Group, including its electronics division, PlayStation, and Sony Entertainment, is also no stranger to cyberattacks.

In 2011, the hacktivist group Anonymous infamously breached Sony’s PlayStation network in a less complicated distributed denial-of-service (DDoS) attack.

The nearly month-long attack incapacitated the PlayStation network preventing players from accessing gaming services and compromising the personal accounts of over 77 million players.

It was one of the world’s first major cyberattacks to cripple a major cooperation, becoming a cautionary tale for cybersecurity professionals and students alike.

At the time of this report, besides Ernst & Young, none of the three other companies listed Thursday have confirmed they are part of the MOVEit attacks.

Cybernews has additionally reached out to PWC and SONY and is awaiting a response.

ADVERTISEMENT
EY Published Data
Cl0p leak site

Cl0p cyber sprees

Cl0p is a known ransomware syndicate with ties to Russia and has been around since 2019.

The syndicate is known in the cyber industry by many different names, such as TA505, Lace Tempest, Dungeon Spider, and FIN11.

The bad actors typically target organizations with a revenue of $5 million or higher, according to US officials.

The gang often employs the “double-extortion” method of stealing and encrypting victim data, refusing to restore access and publishing the exfiltrated data ion its data leak site if the ransom is not paid.

In a recent post addressed to victims, Cl0p boasted about being one the only hacker groups to offer pen testing after infiltrating a victims network.

“CLOP IS ONE OF TOP ORGANIZATION OFFER PENETRATION TESTING SERVICE AFTER THE FACT," the group said.

Cl0p is also considered one of the most used ransomware-as-a-service (RaaS) groups since hitting the cybercriminal market.

Six of the gang members were arrested by Ukrainian authorities in 2021 – but bucking expectations, the takedown had little impact on the gang, as Cl0p appears to be a strong as ever.

ADVERTISEMENT

Last week, the US government announced a $10 million reward for any information or the whereabouts of any of the Cl0p gang members.

.