Businesses Exposed in MOVEit Data Breach targeted by Ransom Demand

The notorious cyber crime syndicate, believed to be stationed in Russia, known as the Clop group, has sent an ominous warning to victims of a recent global cyber attack. In a message posted on the dark web, the group has urged those impacted by the MOVEit hack to contact them before 14th of June; failure to do so could result in masses of stolen data being released to the public.

Companies have been advised against paying the ransom, should the hackers make such a demand. Prior research into the initial attack implicated Clop as the potential perpetrators, a suspicion that has since been confirmed in a recent blog post from the group that was riddled with broken English. Clop managed to penetrate MOVEit, a popular business software, enabling the group to access the databases of potentially hundreds of companies.

The blog post, which was viewed by the BBC, contained the following message: “This is announcement to educate companies who use Progress MOVEit product that chance is that we download a lot of your data as part of exceptional exploit.” The post further implored the victim organisations to initiate a negotiation by emailing the group via their dark web portal. This is an unusual approach, as hackers typically send ransom demands directly to the victim organisations, whereas in this case, the victims are being requested to initiate contact.

This deviation from the norm could be attributed to Clop being unable to cope with the sheer scale of the ongoing hack, which continues to reverberate across the globe. MOVEit, provided by the US-based Progress Software, facilitates secure file transfers across company systems and is employed by numerous businesses. One of its users, Zellis, a UK-based payroll services provider (see our news article), has confirmed that data from eight organisations has been stolen as a result of the hack. Among the stolen information are home addresses, national insurance numbers, and, in some instances, bank details. Currently, the BBC, British Airways, Aer Lingus, Boots, Nova Scotia Government, and The University of Rochester have all reported potential data theft.

Experts have advised individuals to remain calm and companies to execute security checks as instructed by authorities like the US Cyber Security and Infrastructure Authority and the UK National Cyber Crime Centre. Despite Clop’s claim of erasing any data relating to government, city, or police services, researchers are sceptical and believe the criminals cannot be trusted. “Clop’s claim to have deleted information relating to public sector organisations should be taken with a pinch of salt. If the information has monetary value or could be used for phishing, it’s unlikely that they will simply have disposed it,” says Brett Callow, threat researcher from Emsisoft. Clop has been on the radar of cyber security experts for some time, largely due to its suspected Russian origins and activity on Russian-speaking forums.

Although Russia has consistently refuted allegations of providing a safe haven for ransomware gangs, Clop operates as a “ransomware as a service” group, allowing hackers worldwide to rent their tools to execute attacks. In 2021, an operation conducted jointly by Ukraine, the US, and South Korea led to the arrest of alleged Clop hackers. The authorities claimed to have dismantled the group, which was purportedly responsible for extorting $500m globally. Despite these actions, Clop remains a persistent and tangible threat.

If your business is concerned about if account details have been leaked on the dark web, or if you want to lear how to implement a strong password policy, multi-factor authentication, prevent targeted phishing emails and much more download our FREE Cyber Security Self Assessment form to see if your business is practicing the best Cyber Security to protect you from attacks. You can also request for a FREE one off Dark Web scan to see if any of your business critical accounts are exposed, and we can also offer this as an ongoing live or monthly managed service. Click the links below to reach out to us.

Latest News Stories