The Clop ransomware gang told BleepingComputer they were behind the MOVEit Transfer data theft attacks, where a zero-day vulnerability was exploited to breach multiple companies’ servers and steal data.
This confirms Microsoft’s Sunday Night attribution to hacking group they follow as “Lace Tempast”, also known as TA505 and FIN11.
Clop’s representative further confirmed that they began exploiting the vulnerability on May 27, during the long US Memorial Day holiday, as previously revealed by Mandiant.
Carrying out attacks during the holidays is a common tactic for the Clop ransomware operation, which has previously undertaken large-scale exploitation attacks during the holidays when staffing is at a minimum.
For example, they exploited a similar Zero-Day Accellion FTA vulnerability on December 23, 2020, to steal data as soon as the Christmas holidays begin.
While Clop wouldn’t share the number of organizations hacked in the MOVEit Transfer attacks, they said the victims would be posted to their data leak site if a ransom was not paid.
Additionally, the ransomware gang confirmed that it has not begun to extort victims, likely using the time to review the data and determine what is valuable and how it could be used to take advantage of a demand for ransom from hacked companies.
at the gang recent GoAnywhere MFT attacksClop waited over a month to email ransom demands to organizations.
Finally, and unprompted, the ransomware gang told BleepingComputer that they deleted all data stolen from governments, the military, and children’s hospitals in these attacks.
“I want to tell you right now that the military, children’s hospitals, GOV, etc., we can’t attack, and their data has been erased,” Clop said in his email to BleepingComputer.
BleepingComputer has no way of confirming whether these claims are accurate, and like any data theft attack, all organizations involved should treat them as if the data is at risk of misuse.
While Clop started out as a ransomware operation, the group previously told BleepingComputer that it was moving away from encryption and favoring data extortion instead.
The first victims appear
We also saw our first revelations of hacked organizations in Clop’s MOVEit data theft attacks.
UK payroll and HR solutions provider Zellis has confirmed that it suffered a data breach as a result of the attacks, which also affected some of its customers.
“A large number of businesses around the world have been impacted by a zero-day vulnerability in Progress Software’s MOVEit Transfer product,” Zellis told BleepingComputer in a statement.
“We can confirm that a small number of our customers have been impacted by this global issue and we are actively working to support them. All software owned by Zellis is unaffected and there are no incidents or compromises associated with any another part of our computer park.
“Once we became aware of this incident, we took immediate action, taking the server offline that uses the MOVEit software and engaging a team of external security incident response experts to assist with medical analysis. -legal and on-going monitoring. We have also notified the ICO, DPC and NCSC in the UK and Ireland.”
Aer Lingus has confirmed to BleepingComputer that they suffered a breach through the Zellis MOVEit compromise.
“However, it has been confirmed that no financial or banking information relating to current or former Aer Lingus employees has been compromised in this incident,” read a statement from Aer Lingus.
“It has also been confirmed that no contact details for current or former Aer Lingus employees have been compromised.”
As reported by The RecordBritish Airways also confirmed that Zellis’ breach affected them.
Unfortunately, as we’ve seen with previous Clop attacks on managed file transfer platforms, we’ll likely see a long stream of corporate disclosures over time.