Cl0p announces rules for extortion negotiation after MOVEit hack

The Cl0p cyber extortion crew says that the many organizations whose data they have pilfered by exploiting a vulnerability in the MOVEit Transfer solution have until June 14 to get in contact with them – or they will post their name on their dedicated leak page.

cl0p extortion MOVEit

They are also threatening that, if the payment negotiation falls through and the organization doesn’t pay up, they will publish all of the stolen data after seven days.

Confirmed victims

As we previously reported, Zellis, British Airways, the BBC, Aer Lingus and Boots have confirmed to be among the victim organizations.

Soon after, the Nova Scotia (Canada) province shared that “the personal information of many employees of Nova Scotia Health, the IWK Health Centre and the public service has been stolen in the MOVEit global cybersecurity breach.”

Cl0p claims that government and police agencies and cities don’t have to worry about their data being leaked because they have erased it, but only time will tell if that’s true or not.

Exposed MOVEit Transfer instances

It’s likely that, in time, other ransomware/extortion gangs will start using the exploit, either after recreating it themselves or buying it from someone who has done it.

“Over the last week, Censys has observed a drop in the number of hosts running exposed MOVEit Transfer instances from over 3k to just over 2.6k, indicating that some are potentially being taken offline,” the company, which runs a web-based search platform for discovering Internet connected devices, said on Wednesday.

“Several of these hosts are associated with high-profile organizations, including multiple Fortune 500 companies and both state and federal government agencies. The finance, technology, and healthcare industries are the primary sectors in which Censys has observed significant numbers of exposures.”

Affected organizations range from small businesses to enterprises.

Security advisories offer helpful info

In the meantime, the US CISA and FBI released a joint advisory covering CL0P’s latest attacks, as well as previous ones in which they exploited zero-days in Accellion File Transfer Appliance (FTA) devices (in 2020-2021) and the GoAnywhere MFT platform (in early 2023).

The advisory outlines the malicious tools and tactics used by the group, and contains indicators of compromise and detection rules organizations can use to check whether they have been compromised in these attacks and to clean affected systems, remove unwanted admin accounts, etc.

Huntress researchers have recreated and demonstrated the attack chain exploiting MOVEit Transfer software.

Progress Software, the company that develops and sells MOVEit Transfer and offers it as a cloud-based service, is contantly updating and revising its own security advisory to reflect new discoveries related to the attacks.

Patches/security updates for supported software versions have been released within 48 hours of Progress discovering the vulnerability and they have been validated by a third-party forensics company.

Don't miss