Has the MOVEit hack paid off for Cl0p?

The number of known Cl0p victims resulting from its Memorial Day attack on vulnerable internet-facing MOVEit Transfer installations has surpassed 420, according to IT market research company KonBriefing Research.

The cyber extortion group has lately switched to setting up company-specific leak sites on the “surface web” (as opposed to the “dark web”, which is only reachable via specialized software), in the hopes of pushing big companies such as PwC and EY to pay the ransom. But will they?

A hack with many victims

Cl0p’s attack resulted in the cybercriminal group exfiltrating sensitive information from MOVEit Transfer installations run either by the victim organizations or third-party service providers.

“As an example, the National Student Clearinghouse, which was impacted by MOVEit, partners with more than 3,500 schools in the U.S. and each of those schools could potentially be impacted,” Emsisoft’s Zach Simas explained.

Payroll and HR solutions provider Zellis is another example: a number of its customers have been impacted.

“The upstream/downstream in many MOVEit incidents is extremely complex, with some organizations being impacted because they used a vendor which used a contractor which used a subcontractor which used MOVEit. Additionally, some organizations have had MOVEit exposure via multiple vendors,” Simas noted.

Data theft and cyber extortion

The Cl0p (aka FIN11) gang started operating in 2019 and previously used ransomware to encrypt enterprise victims’ data after exfiltrating it.

In this particular case, they concentrated on data exfiltration and extortion, likely because they assumed that the victim organizations have other copies of the exfiltrated data. This was a “smash and grab” operation that relied on a zero-day vulnerability and time was of the essence.

The group publicly announced rules for extortion negotiation after the MOVEit hack, but it is unknown how many organizations ended up paying the ransom so far.

Coveware researchers have recently noted that in Q2 2023, the percentage of data exfiltration attacks that resulted in the victim paying was 29%.

Cyber extortion attacks are less disruptive that ransomware attacks and the victim can never be sure that the stolen data is going to be deleted by the attackers.

That’s perhaps one of the reason why the CloP group considerably increased the average demand it made of victims.

“While the MOVEit campaign may end up impacting over 1,000 companies directly, and an order of magnitude more indirectly, a very very small percentage of victims bothered trying to negotiate, let alone contemplated paying,” the researchers noted, but added that “it is likely that the CloP group may earn $75-100 million dollars just from the MOVEit campaign, with that sum coming from just a small handful of victims that succumbed to very high ransom payments.”