Brace for Impact: Clop MoveIT Breach Continues
August 2023 by ReliaQuest
In June 2023, the Clop ransomware group exploited a critical zero-day vulnerability (CVE-2023-34362) affecting file transfer software MOVEit. This tactic has become a trend for Clop: targeting commonly used—albeit susceptible—file transfer providers to exfiltrate data that can be used to extort companies.
For the last three months, we’ve watched closely as the Clop ransomware group worked through its ransom list, naming and shaming victims—and leaking their data. To date, they’ve released the names of roughly 260 organizations they’ve exploited through the MOVEit file transfer vulnerability. The affected organizations span the globe and multiple industries. Clop has also made good on its threats when companies decline to negotiate, leaking data belonging to many of the named organizations.
Unfortunately, this fiasco is set to continue.
In this campaign, Clop took the rather unorthodox method of requesting impacted companies contact them to negotiate ransoms, rather than the typical approach of making their demands via a ransom note. Clop has now claimed that any remaining named companies that have failed to contact them would have their data leaked on August 15, 2023.
Deadline for New Leaks Set on August 15, 2023
On August 10, 2023, Clop released a statement to their data-leak website, Clop Leaks, clarifying their next steps following the MOVEit vulnerability exploitation.
Post made to Clop leaks on August 10, 2023
Figure 1: Post made to Clop leaks on August 10, 2023
The post exposes that despite the high-profile nature of the attack, some impacted companies have still failed to contact Clop to negotiate payment of a ransom. There are a number of reasons this could be:
The possibility is slim, but some companies may be unaware that they are affected by the vulnerability’s exploitation. This could be down to a lack visibility of certain IT services—like MOVEit—within their environment, or otherwise may not have followed recent developments.
Some companies may be aware of a possible exposure to the incident, however, may have determined that contacting Clop represented a greater risk than the value of what was potentially stolen.
It’s also possible that some companies have taken a stance to not negotiate with criminal extortionists, instead choosing to deal with the fallout of the breach if and when it occurs.
Whatever the case, it’s likely that many organizations’ security teams will be busy on August 15, 2023.
Clop’s New Tactics and Their Impact
Clop has recently shifted tactics multiple times to identify and prompt any outstanding organizations that have not contacted them to negotiate a ransom. It’s possible that the latest statement represents Clop’s final attempt to solicit payments from victims who have yet to pay the ransom.
These changes in tactics have included:
Posting victim data onto clear web domains—a tactic originally explored by the ALPHV ransomware group.
Using torrents to share stolen data via peer-to-peer sharing. The changes in tactics made by Clop have the advantage of making it easier to both host and download data. Typically, downloading data from data-leak websites on the dark web is difficult due to speed caps placed on transfers, while the new methods used by Clop make it easier to share and acquire the data.
It is also worth noting that some companies have been named as Clop victims, but their full data has not been leaked yet. For example, Clop often claims to have stolen multiple terabytes of data but only leaks a small portion of that amount. There have also been instances where no data was leaked, even weeks after Clop posted victims. As the ransom deadline for August 15, 2023, approaches, it is likely that we will see data being leaked for many of these companies.
It’s possible that Clop previously had difficulty leaking all the data for its victims due to challenges in storing large data breaches on the dark web. However, it is highly likely that, in this instance, the stolen data will be shared en masse. We’ve identified at least one case where Clop leaked 52GB of data via a single .ZIP file in a torrent. If this becomes the norm, it could significantly increase the cyber risk for companies named by Clop.
It is also likely the group considers some data too valuable to give away for free. We have also identified instances where the group offered to sell stolen data to anyone willing to pay.
What You Can Do Now
In our previous blog on Clop, we outlined several useful steps to minimize the risks associated with the incident. These steps included evaluating the risk, updating the MOVEit software, and considering alternative file transfer software.
Other prudent steps to take ahead of August 15, 2023, are as follows:
Incident response: If you are a user of MOVEit or believe you may be impacted, ensure that your incident response (IR) team is fully prepared ahead of the deadline. These steps include creating call-out plans, identifying and documenting roles and responsibilities, and outlining steps to take if necessary. Effective incident response processes take time to develop, so it’s important to use the remaining time to prepare.
Determine the risk: If you haven’t done so already, it’s worthwhile to attempt to identify the kind of data that was transmitted using the MOVEit service. Evaluate files that are or have been stored on your MOVEit solutions and any third-party MOVEit servers.
Work with partners: Third-party risk management teams should communicate with key vendors to understand potential exposures through partner companies.
How to Stay Off Future Ransom Lists
To stay off the next ransom list, be sure to keep a close eye on the latest news and be prepared to act. If you do hear of a vulnerability, it is essential to work closely with security and intelligence providers to ensure there hasn’t been any exfiltration of your sensitive data.
If you have been affected, performing a thorough post-compromise analysis can help identify what has been stolen, allowing you to assess the potential impact and take appropriate measures.
Keep in mind that entering negotiations with ransomware groups can be dangerous. If an agreement is not reached, these groups may retaliate by making an example out of the victims by leaking sensitive documents, publicly posting ransom negotiations, or naming and shaming victims on their leak site. In some cases, victims may engage in negotiations simply to buy time, as ransomware groups like Clop require time to analyze a company and its assets.
It is also important to note that ransomware groups may claim to delete all stolen data after a ransom is paid, but there is no way to confirm that they will follow through with their promise.
To safeguard against ransomware attacks, it is imperative to stay proactive, promptly address any vulnerabilities. By fortifying your defenses and staying vigilant, you can reduce the risk of becoming a victim of bad actors’ insidious moves.
How ReliaQuest Can Help
At ReliaQuest, we understand the importance of staying one step ahead of ransomware campaigns. That’s why our security operations platform, GreyMatter, uses advanced detections we’ve specifically designed by experts to identify vulnerability exploitations such as those used by Clop.
GreyMatter automates the high-time, low-brain activities of your security teams, leaving them free to focus on strategic improvements to your security posture that can help you better defend against ransomware.