A top cybersecurity analyst and security researcher has claimed the Clop ransomware gang responsible for the MOVEit attacks is ramping up its threats in the hope to get victims to pay up.
Dominic Alvieri discovered on July 22 that the Russian ransomware group had created a clearnet domain designed to distribute stolen data from one of its targets, professional services giant Ernst & Young, posting a screenshot of the dotcom website to Twitter.
Ernst & Young, trading as EY, had been notified via Tweets and direct messages from Alvieri, but it’s uncertain whether the company has responded.
Clop threatens to leak MOVEit data
The analyst and researcher also reached out to BleepingComputer, informing the publication that the ransomware group’s first target was business consulting firm PWC.
In addition to EY and PWC, BleepingComputer reports that websites had also been created for Aon, Kirkland, and TD Ameritrade.
Typically, data leaks are hosted on the Tor network thanks to the additional anonymity and difficulty relating to how enforcement bodies can remove the pages. Instead, Clop is threatening to leak MOVEit breach data on the regular Internet, hence Alvieri’s ‘dotcom’ comment.
Because of the nature of clearnet domains, websites are at a much higher risk of being taken down, which has been true in the case of Clop, though it’s unclear whether enforcement agencies or hosting providers are responsible for their takedown.
Similarly, BleepingComputer suggests that cybersecurity firms could have launched their own DDoS attacks in an effort to protect victims.
According to Coveware, the small number of Clop’s estimated 1,000 direct targets that are likely to pay – or have already paid – ransoms could see the Russian group earn $75-100 million from MOVEit-linked demands alone.