The Cl0p ransomware gang is offering more than 3TB of sensitive data for sale – allegedly stolen from TD Ameritrade and Ernst & Young in the MOVEit zero-day attacks – all as retaliation for the companies' lack of negotiation skills. Pricewaterhouse Coopers was also slammed by the gang after it was assigned its very own leak URL containing all of PWC's published files.
Cl0p has been taunting its MOVEit victims since June 14th, threatening to publish data claimed to be stolen in the hacks if victim companies refuse to negotiate and pay its requested ransom demand.
The ransom group has been slowly posting the names of its victims in batches on its dark leak site – over 180 to date.
Electronic trading and investment platform TD Ameritrade and ‘Big Four’ accounting firm Ernst & Young (EY) were no exceptions.
Yet, the two financial services firms, especially TD Ameritrade, seem to have been singled out by the gang, possibly in an attempt to make them an example of ransom negotiations gone wrong.
Ryan McConechy, CTO at cybersecurity service provider Barrier Networks pointed out that oftentimes it is a no-win situation for ransomware victims.
“This is a worrying update for Ernst & Young and TD Ameritrade and clearly a situation both companies wanted to avoid. However, the incident does show that when it comes to negotiating with ransomware criminals, there is no winning,” McConechy said.
“You are completely at their mercy and unless you do exactly as they request, they will act ruthlessly and try to shame you publicly, “ the explained.
Negotiation fail
TD Ameritrade, a subsidiary of the American Charles Schwab investment and banking firm, was listed on Cl0p’s dark leak site on July 12th.
Charles Schwab spokesperson Tatiana Stead forwarded an earlier statement to Cybernews confirming limited impact from the MOVEit breach.
“TD Ameritrade, Inc ("Ameritrade") had limited use of the MOVEit Transfer tool,” the Charles Schwab Corporation said.
“We have taken immediate action by containing the threat and halting any use of MOVEit Transfer. We have also alerted and are working with law enforcement. The incident did not impact Ameritrade or Schwab's business operations or other systems," it continued.
“The incident affected some client data. However, we believe less than 0.5% of clients may have been affected. We continue to actively investigate the incident in close consultation with independent forensic experts,” the company had stated on July 7th.
Many MOVEit victims, under advice from law enforcement and insurance companies, have chosen not to engage with the Russian-affiliated ransom group, as experts say that making a deal with any hackers can leave the door wide open for future extortion. Plus, there are no guarantees that a negotiated deal would be honored by the cybercriminals anyway.
Apparently, TD Ameritrade didn't get the memo. They instead tried to reach out to Cl0p as per the leak site’s instructions, leading the gang to be seemingly annoyed at the company's negotiation tactics.
McConechy said even though avoiding negotiations may legally be the right thing to do, sometimes for businesses, the data loss can leave a company in a powerless position with no choice.
“Clearly in this case the high volume of data loss for both businesses was enough to force them to try to negotiate with the criminals, but this unfortunately doesn’t seem to have been effective,” McConechy said.
Cl0p, meantime, claimed to have stolen a total of 262GB of data from the company, as well as TD Ameritrade archives. Obviously unhappy with how negotiations had stalled, Cl0p abruptly decided to put an end to the exchange between them.
“TD AMERITRADE WILL BE PUBLISHED ON MONDAY 260GB COMPRESSED. TD AMERITRADE STALL NEGOTIATION WITH LOW OFFER. GOOD EFFORT BUT ALL GOOD STORY COME TO END.TD AMERITRADE OUR RULE NOT PLAYTHING,” the gang posted on the Cl0p leak site’s home page on Friday.
TD Ameritrade mocked by Cl0p
Days earlier, Cl0p had warned TD Ameritrade of a premature publish if the company did not pick up the pace of negotiations.
The gang called out the “bad negotiators” in a scathing message posted directly on TD Ameritrade’s individual leak page (which all victim companies have).
“Big donkey kong of a company say to negotiating democratic babies to waste time,” the post began.
“They offer $4,000,000 to solve and slowly give 500,000 every two day. We see this many time before and we are more enough rich to send them to diaper table and stop waste of us time.” it continued.
“This is example of what happen with combination of stupid negotiator who think jokes is good in situation,” Cl0p said.
After a few more insults, the gang then posted examples of its idea of negotiating humor, possibly implying that the jokes were representative of TD Ameritrade’s negotiating tactics.
"Example of negotiator joke:
- We do not understand what happened, can you tell us?
- Our committee is too busy over the weekend and we will be back on Monday
- 500,000 is a lot of money for this useless data
- The data is old and we have already notified everyone on advice of our lawyers
- We can't afford so much due to our insurance
- Our lawyers said that there are no guarantees even if payment has been made."
Cl0p ended its tirade with this grammatically incorrect post, "CLOP provide sure guarantee, pay and your data is gone such as bad dream in morning. Choice to pay not and we guarantee you will publish with data. Choice wisely [sic]."
As promised, Cl0p published samples of the TD Ameritrade data on its dark website.
The leaked data contains what appears to be full investment account information, such as detailed stock investment portfolios, which bear the account holder's name and the actual account number.
Samples of retirement plans, investment revenue schedules, signatory documents for authorization, and third-party fees were also posted by the gang. The alleged samples also included documents showing TD Ameritrade employees' sensitive information, with full names, gender, birthday, home address, email, and hire dates.
Cl0p claims massive 3T cache
By comparison, Ernst & Young was named by Cl0p along with fellow Big Four accounting firm PricewaterhouseCoopers (PWC) on June 23rd.
In a statement confirming the breach to Cybernews, EY had, like TD Ameritrade, stated that limited data had been affected in the MOVEit attacks.
“We have verified that the vast majority of systems which use this transfer service across our global organization were not compromised,” EY said at the time.
The London-based accounting firm, which became aware of the hack on May 31st, said it was “manually and thoroughly investigating systems where data may have been accessed.”
At first, Cl0p had claimed to only have 3GB of EY stolen data, but eventually, those gigabytes turned into terabytes. There's quite a difference to 3TB.
The gang advertised to sell the vast amount of data to the highest bidder on its home page last week, also threatening to publish the data on Monday.
“EY.COM EY.COM EY.COM READ NEWS HERE. EY.COM,” Cl0p posted.
“WILL BE PUBLISHED ON MONDAY 3TB DATA. EY.COM WHO IS INTERESTED IN BUYING THIS AND ANY OTHER COMPANY INSIDE IN ONE HAND - WRITE TO US AT EMAIL! EY.COM MANY COMPANY INSIDE!!,” it said.
True to its word, Cl0p published alleged samples of the EY data Monday. The sample, labeled Part1, contained 1 through 47 separate download files.
“This is a small piece of information from 3TB,” Clop said.
The group then claimed to have a variety of different documents, including “various financial reports and accounting documents in the client folders. Passport scan, Visa scan. Risk and asset management documents. Contracts and agreements. Credit agreements. Audit reports. Account balances.”
Along with the samples, Cl0p also listed a total of 62 EY client companies, the majority of them located in Canada, including Air Canada, Constellation Software, Laurentian Bank, Scotiatrust, Staples Canada, Sun Life, TD Bank, United Parcel Service (UPS) Canada, and the University of Toronto.
Cl0p has also been publishing small batches of PWC files on its leak site over the past to weeks. The group just published PWC PART10, PART11 as of last week.
PWC, which was named in the same batch of victims with EY, was listed as having 121GB of data plus archives compromised in the attack.
Since this report published, Cl0p, in a new move mimicking tactics used by the BlackCat gang, created a completely separate URL linking directly to the entire trove of PWC stolen data files.
Cl0p and the MOVEit hacks
Cl0p is the Russian-linked ransom group claiming responsible for exploiting a SQL database injection flaw in the MOVEit Transfer file system, which has impacted thousands of companies worldwide.
The MOVEit zero-day vulnerability allowed the gang to access and extract certain information and files from its victim’s database servers.
Security experts anticipate there are over 230 victims of the MOVEit hack, and possibly more, as the fallout from third-party vendors using the file transfer software can affect any company contracted with the vendor.
Shell Global was the first victim to be name out of over 150 companies now listed on Cl0p leak site.
More recently named victims include American Airlines, TJX off-price department stores, TomTom, Pioneer Electronics, Autozone, and Johns Hopkins University and Health System.
Other multiple big brand victims include, Shutterfly, Warner Bros Discovery, AMC Theatres, Honeywell, Choice Hotels’ Radisson Americas chain, and Crowe accounting advisory firm.
Last week, Cybernews was able to confirm ING Bank, as well as three other major European banks – Deutsche Bank, Postbank, and Comdirect – were also impacted by the attacks through a common third-party vendor, Majorel.
Earlier MOVEit victims from June included Sony, Siemens Energy, the NYC Department of Education, and several US government agencies, including the Department of Energy and Health.
New evidence, exclusive to Cybernews, points to the fact that the pro-Russian gang is still operating in secret within Ukrainian borders.
US officials are offering a $10 Million dollar bounty on the Cl0p gang.
To combat the risk of attack, McConechy advises that organizations should “take the average ransomware sum likely to be demanded from them in the event of a compromise – then use that figure as their budget for investing in adequate defensive tooling.”
Your email address will not be published. Required fields are markedmarked