Clop gang ultimatum to MOVEit hack victims: email before 14 June or data leaked
A cybercrime gang believed to be operating from Russia has issued a deadline to victims of a global hacking attack, warning that stolen data will be published if they fail to contact the group by June 14. The Clop group posted the notice on the dark web, targeting organisations affected by the MOVEit hack. Over 100,000 employees at the BBC, British Airways, and Boots have been informed that their payroll data might have been compromised. Companies are being advised not to pay any ransom if demanded by the hackers.
Clop was initially suspected to be behind the hack, which was announced last week. The criminals managed to infiltrate the popular business software MOVEit and subsequently gained access to databases of potentially hundreds of other firms. Microsoft analysts confirmed on Monday that Clop was responsible, based on the techniques used in the attack. The group has now claimed responsibility in a blog post written in broken English.
The post, viewed by the BBC, reads: “This is announcement to educate companies who use Progress MOVEit product that chance is that we download a lot of your data as part of exceptional exploit.” The message instructs victim organisations to email the gang for negotiations on their darknet portal. This unusual approach could be due to the large scale of the hack, which is still being processed globally.
Progress Software, a US company, supplies MOVEit to numerous businesses for secure file transfers within company systems. UK-based payroll services provider Zellis was one of its users. Zellis confirmed that data from eight organisations, including home addresses, national insurance numbers, and in some cases, bank details, had been stolen.
Experts advise individuals not to panic and recommend that organisations follow security guidelines issued by authorities such as the US Cyber Security and Infrastructure Authority.
On its leak site, Clop claims to have deleted data from government, city, or police services, stating, “Do not worry, we erased your data you do not need to contact us. We have no interest to expose such information.” However, researchers caution against trusting the criminals. Brett Callow, a threat researcher from Emsisoft, said, “If the information has monetary value or could be used for phishing, it’s unlikely that they will simply have disposed it.”
Clop, thought to be based in Russia, has long been monitored by cybersecurity experts. Russia has been accused of providing a safe haven for ransomware gangs, a claim it denies. Clop operates as a “ransomware as a service” group, allowing hackers to rent their tools for attacks from any location. In 2021, alleged Clop hackers were arrested in Ukraine in a joint operation with the US and South Korea. Authorities claimed to have dismantled the group, which they said had extorted US$500 million from victims worldwide. However, Clop remains an ongoing threat.