stokkete - stock.adobe.com

News

Clop begins naming alleged MOVEit victims

Clop uploaded details of 12 new victims to its dark web leak site late on 14 June, many of them likely linked to the ongoing MOVEit cyber attack

Alex Scroxton
By
Published: 15 Jun 2023 13:15

As it had previously threatened, the Clop cyber crime cartel has started publicly naming victims allegedly compromised via a SQL injection flaw in Progress Software’s MOVEit managed file transfer product, who have resisted its extortion attempt.

Clop, which is believed to be based in Russia, told users of the MOVEit Transfer product last week that they had seven days to comply with its demands. This deadline passed yesterday (14 June), and true to its word, Clop began to add the details of new victims, up to a total of 12, to its dark web leak site at around 6pm UK time.

Among the first tranche of names are fuel giant Shell, the University of Georgia in the US, and investment fund Putnam. Also included are a number of US banks, and organisations in the Netherlands and Switzerland.

A Shell spokesperson confirmed that the organisation had been affected by the incident. “We are aware of a cyber security incident that has impacted a third-party tool from Progress called MOVEit Transfer, which is used by a small number of Shell employees and customers,” they said.

“There is no evidence of impact to Shell’s core IT systems. Our IT teams are investigating. We are not communicating with the hackers.”

Computer Weekly understands that unlike some other affected organisations, Shell was not affected via the systems of a third-party supplier or contractor.

Many more names to come

Not appearing on Clop's leak site – at the time of writing – are the names of several known MOVEit victims, including the BBC, Boots, British Airways, Ofcom and TfL.

However, it is important to note that due to the high number of victims it has likely compromised – more than 2,000 instances of MOVEit Transfer were exposed to the public internet last week, and figure does not include compromised customers of the instance owners – Clop is likely staggering its release.

As such, the non-appearance of some high-profile names at this early stage is no indication that the victims have engaged with Clop or paid a ransom, and no such indication should be inferred.

Secureworks Counter Threat Unit threat research director Chris Yule said it would likely take the cyber criminals some time to work through the victims.

“It remains to be seen if there will be one dump or a drip feed, [but] the GoAnywhere victims were posted in batches over a period of 14 days,” said Yule.

“The first names Clop have posted included a number of US-based financial services companies. Whilst the upload has just begun, we anticipate that the balance of victims will likely be based in the US, as the majority of MOVEit servers on the internet were based there.”

Hüseyin Can Yuceel, a threat researcher at Picus Security, said that releasing the details of its victims more slowly could serve to pressure others into paying a ransom, and it was clear that Clop had not been bluffing in its threats.

What victims should do next

While no ransomware locker has been executed on any of the victim systems so far – this is consistent with Clop’s modus operandi in such situations – the playbook for how to deal with a data exfiltration and extortion incident is broadly similar to a situation where data encryption has taken place.

“Prevention is always the number one priority against ransomware attacks. [Afterwards] there is not much that can be done,” said Can Yuceel.

“Even if backups are in place, ransomware groups can release their victims' sensitive data and harm their reputation. Law enforcement agencies advise businesses not to pay ransoms because ransomware groups may not deliver the decryption key after the payment. There are also other risks with ransom payments.

“We have observed that organisations known to pay the ransom are much more likely to be targeted by the same or other ransomware groups in the future. Ransom payments can also perpetuate the ransomware threat and are used to fund other illegal activities.”

Can Yuceel warned that for the UK’s growing roster of victims – which now also includes Adare SEC, a specialist customer comms services supplier for the financial and insurance sector with customers including Legal & General, AON and Allianz – should be particularly wary of engaging or paying a ransom due to strict financial regulations covering payments to Russian criminal organisations.

The Office of Financial Sanctions Implementation considers ransom payments as a breach of financial sanctions, which is a serious criminal offence and can carry a custodial sentence and the imposition of a monetary penalty,” he said.

“Victims in the UK should therefore report the attack to the National Cyber Security Centre and request support for managing the cyber incident if needed.”

MOVEit cyber attack timeline

Read more on Data breach incident management and recovery