The Clop ransomware gang has changed its tactics once again and is now using torrents to leak data stolen in MOVEit attacks. The group exploited a zero-day vulnerability in the MOVEit Transfer secure file transfer platform, allowing them to steal data from nearly 600 organizations worldwide. By May 27th, the gang had launched a wave of data-theft attacks, which went unnoticed by their victims until June 14th.
Initially, the ransomware gang began extorting its victims by releasing the stolen files on a Tor data leak site. However, this method proved to be slow and not as damaging as they had hoped, due to the slow download speed. To overcome this, they created clearweb sites to leak the stolen data, but these sites were easier to take down.
As a solution to these issues, Clop has now started using torrents to distribute the data stolen from MOVEit attacks. Security researcher Dominic Alvieri discovered this new tactic and identified torrents for twenty victims, including Aon, K & L Gates, Putnam, Delaware Life, Zurich Brazil, and Heidelberg. Clop has set up a new Tor site that provides instructions on how to use torrent clients to download the leaked data, along with lists of magnet links for the twenty victims.
Torrents offer faster transfer speeds compared to traditional Tor sites, as they use peer-to-peer transfer among different users. In tests conducted by BleepingComputer, data transfer speeds reached 5.4 Mbps, even when only seeded from one IP address in Russia. Additionally, as torrents are decentralized, it becomes more difficult for law enforcement to shut them down. Even if the original seeder is taken offline, another device can be used to seed the stolen data.
If this new method proves successful for Clop, they are likely to continue using torrents for data leaks. It is an easier setup, does not require a complex website, and has the potential for broader distribution of stolen data. Coveware estimates that Clop could earn $75 to $100 million in extortion payments, as they have convinced a small number of companies to pay large ransom demands. The impact of using torrents on the number of payments remains to be seen, but with such significant earnings, it may not matter to the ransomware gang.