Hacker in purge outfit

6/6/23 update added below about new Clop extortion demands.

The Clop ransomware gang has told BleepingComputer they are behind the MOVEit Transfer data-theft attacks, where a zero-day vulnerability was exploited to breach servers belonging to "hundreds of companies" and steal data.

This confirms Microsoft's Sunday night attribution to the hacking group they track as 'Lace Tempest,' also known as TA505 and FIN11.

The Clop representative further confirmed that they started exploiting the vulnerability on May 27th, during the long US Memorial Day holiday, as previously disclosed by Mandiant.

Conducting attacks around holidays is a common tactic for the Clop ransomware operation, which has previously undertaken large-scale exploitation attacks during holidays when staff is at a minimum.

For example, they exploited a similar Accellion FTA zero-day vulnerability on December 23rd, 2020, to steal data right at the start of the Christmas holiday.

While Clop would not share the number of organizations breached in the MOVEit Transfer attacks, they said that victims would be displayed on their data leak site if a ransom was not paid.

Furthermore, the ransomware gang confirmed that they have not begun to extort victims, likely using the time to review data and determine what is valuable and how it could be used to leverage a ransom demand from breached companies.

In the gang's recent GoAnywhere MFT attacks, Clop waited over a month to email ransom demands to organizations.

Finally, and unprompted, the ransomware gang told BleepingComputer that they had deleted any data stolen from governments, the military, and children's hospitals during these attacks.

"I want to tell you right away that the military, children's hospitals, GOV etc like this we no to attack, and their data was erased," Clop said in their email to BleepingComputer.

BleepingComputer has no way of confirming if these claims are accurate, and like any data-theft attack, all impacted organizations should treat it as if the data is at risk for abuse.

While Clop started as a ransomware operation, the group previously told BleepingComputer that they are moving away from encryption and prefer data-theft extortion instead.

First victims come forward

We also saw our first disclosures from organizations breached in Clop's MOVEit data-theft attacks.

UK payroll and HR solutions provider Zellis confirmed that it suffered a data breach due to these attacks, which also impacted some of its customers.

"A large number of companies around the world have been affected by a zero-day vulnerability in Progress Software's MOVEit Transfer product," Zellis told BleepingComputer in a statement.

"We can confirm that a small number of our customers have been impacted by this global issue and we are actively working to support them. All Zellis-owned software is unaffected and there are no associated incidents or compromises to any other part of our IT estate."

"Once we became aware of this incident we took immediate action, disconnecting the server that utilises MOVEit software and engaging an expert external security incident response team to assist with forensic analysis and ongoing monitoring. We have also notified the ICO, DPC, and the NCSC in both the UK and Ireland."

Aer Lingus confirmed to BleepingComputer that they suffered a breach through the Zellis MOVEit compromise.

"However, it has been confirmed that no financial or bank details relating to Aer Lingus current or former employees were compromised in this incident," reads a statement from Aer Lingus.

"It has also been confirmed that no phone contact details relating to Aer Lingus current or former employees were compromised."

As reported by The Record, British Airways has also confirmed the Zellis breach impacted them.

Unfortunately, as we have seen with previous Clop attacks on managed file transfer platforms, we will likely see a long stream of company disclosures as time goes on.

Update 6/6/23: The Clop ransomware gang claimed Tuesday night that they had stolen data from "hundreds of companies" and would begin publishing organizations' stolen data on June 14th if a ransom is not paid.

In the previous GoAnywhere and Accellion FTA attacks, the threat actors emailed their extortion demands to company executives.

Clop extortion email during the Accellion attacks
Clop extortion email during the Accellion attacks

For those affected by the MOVEit Transfer data-theft attacks, Clop is now taking a different approach by telling impacted organizations to contact them if they wish to negotiate a ransom.

Related Articles:

US govt offers $10 million bounty for info on Clop ransomware

Ransomware payments drop to record low as victims refuse to pay

Equilend warns employees their data was stolen by ransomware gang

Rhysida ransomware wants $3.6 million for children’s stolen data

Alpha ransomware linked to NetWalker operation dismantled in 2021