stokkete - stock.adobe.com
Clop begins naming alleged MOVEit victims
Clop uploaded details of 12 new victims to its dark web leak site late on 14 June, many of them likely linked to the ongoing MOVEit cyber attack
As it had previously threatened, the Clop cyber crime cartel has started publicly naming victims allegedly compromised via a SQL injection flaw in Progress Software’s MOVEit managed file transfer product, who have resisted its extortion attempt.
Clop, which is believed to be based in Russia, told users of the MOVEit Transfer product last week that they had seven days to comply with its demands. This deadline passed yesterday (14 June), and true to its word, Clop began to add the details of new victims, up to a total of 12, to its dark web leak site at around 6pm UK time.
Among the first tranche of names are fuel giant Shell, the University of Georgia in the US, and investment fund Putnam. Also included are a number of US banks, and organisations in the Netherlands and Switzerland.
A Shell spokesperson confirmed that the organisation had been affected by the incident. “We are aware of a cyber security incident that has impacted a third-party tool from Progress called MOVEit Transfer, which is used by a small number of Shell employees and customers,” they said.
“There is no evidence of impact to Shell’s core IT systems. Our IT teams are investigating. We are not communicating with the hackers.”
Computer Weekly understands that unlike some other affected organisations, Shell was not affected via the systems of a third-party supplier or contractor.
Many more names to come
Not appearing on Clop's leak site – at the time of writing – are the names of several known MOVEit victims, including the BBC, Boots, British Airways, Ofcom and TfL.
However, it is important to note that due to the high number of victims it has likely compromised – more than 2,000 instances of MOVEit Transfer were exposed to the public internet last week, and figure does not include compromised customers of the instance owners – Clop is likely staggering its release.
As such, the non-appearance of some high-profile names at this early stage is no indication that the victims have engaged with Clop or paid a ransom, and no such indication should be inferred.
Secureworks Counter Threat Unit threat research director Chris Yule said it would likely take the cyber criminals some time to work through the victims.
“It remains to be seen if there will be one dump or a drip feed, [but] the GoAnywhere victims were posted in batches over a period of 14 days,” said Yule.
“The first names Clop have posted included a number of US-based financial services companies. Whilst the upload has just begun, we anticipate that the balance of victims will likely be based in the US, as the majority of MOVEit servers on the internet were based there.”
Hüseyin Can Yuceel, a threat researcher at Picus Security, said that releasing the details of its victims more slowly could serve to pressure others into paying a ransom, and it was clear that Clop had not been bluffing in its threats.
What victims should do next
While no ransomware locker has been executed on any of the victim systems so far – this is consistent with Clop’s modus operandi in such situations – the playbook for how to deal with a data exfiltration and extortion incident is broadly similar to a situation where data encryption has taken place.
“Prevention is always the number one priority against ransomware attacks. [Afterwards] there is not much that can be done,” said Can Yuceel.
“Even if backups are in place, ransomware groups can release their victims' sensitive data and harm their reputation. Law enforcement agencies advise businesses not to pay ransoms because ransomware groups may not deliver the decryption key after the payment. There are also other risks with ransom payments.
“We have observed that organisations known to pay the ransom are much more likely to be targeted by the same or other ransomware groups in the future. Ransom payments can also perpetuate the ransomware threat and are used to fund other illegal activities.”
Can Yuceel warned that for the UK’s growing roster of victims – which now also includes Adare SEC, a specialist customer comms services supplier for the financial and insurance sector with customers including Legal & General, AON and Allianz – should be particularly wary of engaging or paying a ransom due to strict financial regulations covering payments to Russian criminal organisations.
“The Office of Financial Sanctions Implementation considers ransom payments as a breach of financial sanctions, which is a serious criminal offence and can carry a custodial sentence and the imposition of a monetary penalty,” he said.
“Victims in the UK should therefore report the attack to the National Cyber Security Centre and request support for managing the cyber incident if needed.”
MOVEit cyber attack timeline
- 31 May: Rapid7 observed exploitation of a SQL injection vulnerability in Progress Software’s managed file transfer product.
- 5 June: Microsoft said the recently disclosed zero-day flaw in Progress Software’s managed file transfer product is being exploited by threat actors connected to the Clop ransomware gang.
- 6 June: The BBC, Boots and British Airways are among the victims of cyber incidents arising from a recently disclosed vulnerability in the MOVEit file transfer product, exploitation of which is spreading fast.
- 7 June: The Clop cyber extortion and ransomware operation is demanding organisations pay a ransom to avoid data stolen via an exploited vulnerability in a file transfer product being leaked.
- 8 June: The Clop cyber extortion gang may have been keeping the MOVEit SQL injection vulnerability they used to penetrate the systems of multiple victims secret for two years.
- 9 June: Network equipment and services supplier Extreme Networks revealed its instance of Progress Software’s MOVEit tool was compromised in the ongoing Clop cyber attack.
- 9 June: Progress Software released a patch for a second MOVEit Transfer issue, which was uncovered by third-party security specialist Huntress Security during post-incident code scanning.
- 12 June: Communications regulator Ofcom said data on employees and regulated communications companies was stolen by the Clop gang.
- 14 June: A seven-day deadline set by Clop for victims of its latest attack to contact it to arrange payment passed on 14 June.
Read more on Data breach incident management and recovery
-
![]()
Clop MoveIt Transfer attacks affect over 2,000 organizations
By: Alexander Culafi
-
![]()
Cyber insurance report shows surge in ransomware claims
By: Arielle Waldman
-
![]()
Ransomware attacks on education sector spike in August
By: Arielle Waldman
-
![]()
MoveIt Transfer attacks dominate July ransomware disclosures
By: Arielle Waldman
