The ransomware gang that has extensively exploited a security vulnerability in the file transfer tool MOVEit to pilfer corporate data has told victims to reach out and initiate payment negotiations before 14 June or their data will be leaked publicly.
The Clop ransomware group recently exploited a MOVEit vulnerability to infiltrate computer networks worldwide and steal sensitive information, resulting in the potential extortion of numerous companies across the globe.
As reported by The Record, the Clop gang communicated its message through a data leak site, initially setting a deadline of 12th June. However, this deadline was subsequently extended to 14th June with no specific reason given for the delay.
In an extortion note written in poor English, organisations were informed that upon initial contact via email, they will be provided with a unique link to engage in real-time chat through the Tor network.
The Clop team is offering victims a sample of 10% of the data they claim to possess. As a means of verification, victims can request two to three random files for confirmation. However, if an agreement regarding payment amount is not reached within seven days, the attackers threaten to start publishing the compromised data.
Here’s Clop’s darknet post. I’ve been on the site and checked it myself. For some reason they changed the deadline date from 12th June to 14th June since this screenshot. In COMPLETELY UNRELATED news Russia has a public holiday on 12th June – Russia Day… 👀 pic.twitter.com/Epdi6aWpJW
— Joe Tidy (@joetidy) June 7, 2023
Interestingly, the Clop gang mentioned in their message that they have deleted data obtained from websites associated with governments, municipalities and police agencies, as they “have no interest in exposing such information.”
MOVEit Transfer, developed by Progress Software, is a managed file transfer (MFT) solution designed to facilitate secure file transfers between businesses, partners, and customers. It supports various protocols such as SFTP, SCP and HTTP-based uploads to ensure the safe exchange of files.
According to Rapid7, as of last week, they have identified approximately 2,500 instances of MOVEit Transfer that are publicly accessible on the internet. The majority of these instances belong to customers in the United States.
While the exact number of impacted companies may be higher, it has been reported that there were 128 instances of MOVEit Transfer exposed to the internet from the UK.
The breach of Zellis, a payroll services provider using the MOVEit tool, has been attributed to the compromise of multiple businesses in Britain and Ireland. Among the affected organisations are the BBC, British Airways, Boots and Aer Lingus.
The Canadian province of Nova Scotia has disclosed that its health authority and IWK Health Centre have also fallen victim to the security vulnerability associated with MOVEit.
On Sunday, Microsoft stated it believed that the group responsible for the hacks is “Lace Tempest,” the nickname attributed to the online extortionists operating the Clop ransomware site.
“Microsoft is attributing attacks exploiting the CVE-2023-34362 MOVEit Transfer 0-day vulnerability to Lace Tempest, known for ransomware operations & running the Clop extortion site,” Microsoft said.
In an email to Reuters on Monday, the Clop gang explicitly stated that “it was our attack”.
In response to the exploitation carried out by Clop, the FBI and CISA issued a joint advisory this week. The advisory includes indicators of compromise and suggested mitigations that organisations can employ to minimise the impact of intrusions and mitigate potential damage.
“Internet-facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT, which was then used to steal data from underlying MOVEit Transfer databases,” the US agencies explained.
The security flaw in MOVEit software is now officially identified as CVE-2023-34362.
Progress, the developer of the application, released a patch for the bug on Friday.