The Clop ransomware gang has begun extorting companies affected by MOVEit data theft attacks, first listing the company’s names on a data leak site – a tactic often used before the information is publicly disclosed. stolen
These entries come after threat actors exploited a zero-day vulnerability in MOVEit Transfer secure file transfer platform on May 27 to steal files stored on the server.
THE The Clop gang took responsibility for the attacksclaiming to have violated “hundreds of companies” and warning that their names would be added to a data leak site on June 14 if negotiations did not take place.
If an extortion demand is not paid, threat actors say they will begin releasing stolen data on June 21.
Clop begins extorting companies
Yesterday, threat actors Clop listed thirteen companies on their data leak site, but did not specify whether they were linked to the MOVEit Transfer attacks or were ransomware encryption attacks.
One of the companies, Greenfield CA, has since been removed, saying the listing was either a mistake or negotiations are ongoing.
Five of the listed companies, British multinational oil and gas company Shell, UnitedHealthcare Student Resources (UHSR), University of Georgia (UGA) and University System of Georgia (USG), Heidelberger Druck and Landal Greenparks, have since confirmed to BleepingComputer that they have been affected to varying degrees by the MOVEit attacks.
Shell said only a small number of employees and customers were affected, and Landal told BleepingComputer that threat actors accessed the names and contact details of around 12,000 guests.
The University System of Georgia, University of Georgia and UnitedHealthcare Student Resources told BleepingComputer they are still investigating the attack and will disclose any breaches if discovered.
German printing company Heidelberger Druck told BleepingComputer that although they use MOVEit Transfer, their analysis indicates that it did not cause any data breaches.
Putnam Investments, which is also listed on the Clop data leak site, told BleepingComputer they are looking into the matter.
While the other companies listed on Clop’s site did not respond to our emails, Macnica’s security researcher Yutaka Sejiyama shared data with BleepingComputer confirming that they are currently using the MOVEit Transfer platform or have done so in the past.
Previously disclosed data breaches
Other organizations that have previously disclosed MOVEit Transfer violations include, Zellis (BBC, Boots and Aer Lingus, Irish HSE via Zellis), the University of Rochester, the Nova Scotia governmentTHE US state of MissouriTHE US state of Illinois, BORN IN Ontario, Ofcam, Extreme networksand the American Board of Internal Medicine.
In similar attacks in the past using zero-day vulnerabilities in Accellion FTA, GoAnywhere MFTAnd SolarWinds Serv-U Managed file transfer attacks, threat actors demanded $10 million ransoms to prevent data leak.
BleepingComputer has learned that the extortion operation has not been very successful in extortion attempts by GoAnywhere, with companies preferring to disclose data breaches rather than pay a ransom.