A cybercrime group believed to be based in Russia has issued an ultimatum to victims affected by a global hack. The Clop group, operating on the dark web, posted a notice warning victims of the MOVEit hack to contact them before June 14th to prevent the publication of stolen data.
Organizations such as the BBC, British Airways, and Boots have been notified that their payroll data may have been compromised. Employers are advised against paying any ransom demanded by the hackers.
The hackers exploited vulnerabilities in the popular business software MOVEit to gain unauthorized access to databases of potentially hundreds of companies. Microsoft analysts have identified Clop as the likely culprit based on the hacking techniques employed.
A lengthy blog post, written in broken English and confirmed by the BBC, serves as an announcement to educate companies using the Progress MOVEit product about the potential data theft. The post urges victim organizations to initiate negotiations by contacting the gang via their darknet portal.
This demand for contact from victims is an unusual tactic, as ransom demands are typically emailed by the hackers. It suggests that the scale of the hack may have overwhelmed Clop's ability to handle communications efficiently.
Progress Software supplies MOVEit to businesses for secure file transfer within their systems. Zellis, a payroll services provider based in the UK, confirmed that eight organizations, including the BBC, British Airways, and Boots, have had data stolen, comprising home addresses, national insurance numbers, and in some cases, bank details.
Affected individuals are advised not to panic, while organizations should conduct security checks recommended by authorities such as the Cyber Security and Infrastructure Authority in the US.
Clop claims on its leak site that it has deleted data related to government, city, and police services, stating that there is no intention to expose such information. However, researchers caution against trusting the criminals' claims, suggesting that valuable or exploitable information may not have been disposed of as stated.
Cybersecurity experts have been monitoring Clop's activities, as the group predominantly operates on Russian-speaking forums, indicating a possible Russian base of operations. Russia has faced accusations of harboring ransomware gangs, though it denies the claims.
Clop operates as a "ransomware as a service" group, allowing hackers to rent their tools for attacks from any location. In 2021, alleged Clop hackers were arrested in Ukraine during a joint operation involving Ukraine, the US, and South Korea. At the time, authorities claimed to have dismantled the group responsible for extorting $500 million from victims worldwide. However, Clop has persisted as an ongoing threat.