The Clop ransomware group has confirmed Microsoft’s claims that it was responsibility for the recent cyberattack on the MOVEit managed file transfer service.
In a statement given to BleepingComputer, the dreaded threat actor also confirmed most of the speculation that was making rounds in these last couple of days, namely that the attack began May 27 (during the long US Memorial Day holiday), used a zero-day vulnerability, and most of the victims will be asked for payment in return for their data.
The negotiations haven’t started yet, though. Reports speculate the group is currently sifting through gigabytes of data, identifying points of interest and important data, before setting their ransoms and calculating where to strike first. So far, no data has been posted, not even snippets.
No government data
However, extortion attempts are now just a matter of time, says Charles Carmakal, CTO, Mandiant Consulting – Google Cloud.
“At this stage it is critical for victim organizations to prepare for potential extortion, publication of stolen data, and victim shaming. It is likely that the threat actor will soon begin to make contact with extortion demands and begin to work through their list of victims,” he said.
“Mandiant’s investigations into prior campaigns from the suspected threat actor show that extortion demands are usually in the 7- or 8-figure range, including a few demands for more than $35 million.”
Earlier speculation also stated that Clop obtained sensitive data belonging to Western governments. While the group did pull such information, it claims to have deleted it immediately, possibly in order not to poke the bear.
“I want to tell you right away that the military, children’s hospitals, GOV etc like this we no to attack, and their data was erased,” Clop told the publication via email.
Last Friday, MOVEit confirmed discovering a major security vulnerability in its systems and urged its customers to apply the workaround as it works on the patch.
Earlier today, news of the first victims emerged, after the BBC reported that its staff, as well as those working at British Airways, Boots, Aer Lingus, and Zelli, were affected.
The data that was stolen in the breach includes national insurance numbers, as well as bank details – depending on the affected software user.
MOVEit Transfer is a managed file transfer (MFT) solution built by Ipswitch, a subsidiary of a company called Progress. Companies usually use software such as this to securely transfer sensitive files, such as financial data, personally identifiable information, and more.
Carmakal also said businesses should be aware of possible scammers: “Some of our clients impacted by the MOVEit exploitation received extortion emails over the weekend. The extortion emails were unrelated to the MOVEit exploitation and were just scams, but organizations could easily confuse them as being authentic.”