A highly active cybercrime gang believed to be operating from Russia has recently delivered an ultimatum to victims affected by a widespread hack targeting organizations worldwide.
Known as the Clop group, the criminals posted a notice on the dark web, warning victims of the MOVEit hack to contact them via email before June 14. Failure to comply would result in the public release of stolen data.
Numerous major organizations, British Airways, and Boots, have alerted their employees that payroll information may have been compromised.
Authorities are strongly advising affected employers not to give in to the hackers’ ransom demands.
Earlier cybersecurity research indicated that Clop might be responsible for the recent attack, which was first disclosed last week.
The perpetrators exploited vulnerabilities in the popular business software MOVEit to gain unauthorized access, enabling them to infiltrate the databases of potentially hundreds of other companies.
Microsoft analysts, based on the techniques employed in the attack, have now officially attributed the breach to the Clop group, as stated in a lengthy blog post written in broken English.
The blog post, obtained by the BBC, includes the following message: “This announcement aims to inform companies using the Progress MOVEit product that there is a possibility we have acquired a significant amount of your data through an extraordinary exploit.”
The post urges affected organizations to initiate negotiations by contacting the gang via their darknet portal.
Interestingly, Clop’s demand for contact from victims is an uncommon tactic since hackers typically email ransom demands directly. This departure from the norm may be due to the scale of the ongoing hack, which Clop is struggling to manage.
MOVEit, provided by US-based Progress Software, is widely used by businesses to securely transfer files within their systems. One of its users, Zellis, a payroll services provider based in the UK, confirmed that eight organizations have had data stolen, including personal details such as home addresses, national insurance numbers, and in some cases, bank information.
The following organizations have acknowledged the potential theft of their data thus far:
BBC
British Airways
Aer Lingus
Boots
Nova Scotia Government
The University of Rochester
Experts are advising individuals not to panic and urging organizations to implement security checks recommended by authorities such as the US Cyber Security and Infrastructure Security Agency.
Clop asserts on its leak site that it has deleted any data obtained from government, municipal, or police services, stating, “Do not worry, we erased your data. You do not need to contact us. We have no interest in exposing such information.”
However, researchers caution against trusting the criminals, noting that Clop’s claim to have deleted data related to public sector organizations should be viewed skeptically. If the stolen information holds monetary value or can be utilized for phishing attempts, it is unlikely that the data has truly been disposed of.
Cybersecurity experts have been closely monitoring Clop’s activities, primarily conducted on Russian-speaking forums, reinforcing suspicions that the group is based in Russia. The country has long faced allegations of harboring ransomware gangs, though it denies such claims.
Operating as a “ransomware as a service” organization, Clop offers its hacking tools for rent, allowing attackers to carry out their activities from anywhere.
In 2021, alleged members of Clop were apprehended in Ukraine through a joint operation involving Ukrainian, US, and South Korean authorities. At the time, it was believed that the group, responsible for extorting $500 million from victims worldwide, had been dismantled. However, Clop has proved to be a persistent and ongoing threat.
