The cl0p ransomware gang is claiming a new set of victims from its hack of the MOVEit file transfer protocol, taking credit this week for having stolen data from the University of California, Los Angeles, Siemens Energy, Abbvie Inc and Schneider Electric, among others.
The total number of recent victims from the online extortion ring has reached 121 organisations, according to Brett Callow, a researcher at cybersecurity vendor Emsisoft which helps companies respond to digital shakedown attempts.
Callow said that at least 15 million people were affected.
Here’s what is known about cl0p and its recent rampage.
Who are the hackers?
Cl0p’s identity and location are not publicly known. But security researchers say the group is Russia-linked or Russian-speaking and its name could be a play on the Russian word for “bug.”
In 2021, Ukrainian authorities announced the arrests of six people tied to cl0p, but it’s not clear that they were core members of the group, which continued to hack victims.
Cl0p is a ransomware-as-a-service gang, meaning that it hires out its software and infrastructure for other cybercriminals in return for a cut of the proceeds.
The group helped pioneer the practice of double-extortion, where cybercriminals take files hostage by encrypting them – then threaten to leak them online unless a payment is made.
Japanese cybersecurity firm TrendMicro described cl0p as “a trendsetter for its ever-changing tactics.”
The hackers – who sometimes spell their name “CLOP” – didn’t immediately return an email seeking comment.
How did they rack up so many victims?
Cl0p was able to take advantage of a previously undiscovered flaw in a popular file transfer program – MOVEit Transfer – to steal data from a wide swathe of organisations, some of whom in turn were handling data belonging to yet more organisations.
Plundering file transfer protocols has become increasingly popular as hackers shift from encrypting data to simply stealing files and threatening to release them unless a ransom is paid.
If a victim doesn’t pay, cl0p posts their identity to its darknet site – a name-and-shame tactic that has been playing out over the past several weeks.
Who has been affected?
Publicly claimed victims include entertainment company Sony, major accounting firms EY and PWC, energy giant Shell and leading US pension fund Calpers.
Government departments – including the US Energy Department and the UK. telecom regulator – have also been hit.
Many of the organisations stress that the target of the hack is the file transfer service, not their systems.
But because their data is nonetheless stolen, it’s little comfort to citizens, employees, clients and business partners whose information has been compromised.
It was working from public disclosures that Brett Callow of Emsisoft came up with the figure of 15 million individuals affected.
But he said the true number was “likely much higher – and possibly much, much higher.”
What’s being done to stop them?
The wide-ranging and often indirect nature of the compromises has meant an avalanche of work for law enforcement and cybersecurity professionals.
“Everyone is overwhelmed,” said Charles Carmakal, the chief technology officer at Mandiant, which was recently acquired by Alphabet.
In a message to LinkedIn he said that even the hackers were struggling with the workload.
“The past few weeks have been intense,” he said.
The FBI said it was “aware of and investigating the recent exploitation of a MOVEit vulnerability by malicious ransomware actors.”
Earlier this month the US government announced a US$10 million reward for information linking cl0p – or any other hacking groups targeting American critical infrastructure – to foreign governments.