IOTW: Clop issues threat to victims of MOVEit attack

The malicious actors responsible for the MOVEit supply chain cyber attack have issued a threat to victims of the attack.

Ransomware gang Clop launched a cyber attack against document transfer service MOVEit in May, 2023 by exploiting a software vulnerability that allowed them access to MOVEit’s network. Many companies that use MOVEit, whether this is directly or via a third party, were affected by data breaches relating to the cyber attack. The impact of the attack is ongoing, with more than 280 companies and 18 million individuals affected by data breaches related to the cyber attack. 

Current #MOVEit stats.

Organizations impacted: 287
Individuals impacted: 18,154,787*

*Only 50 organizations have disclosed the number of individuals their breach impacted. pic.twitter.com/ESgrYS4r46

— Brett Callow (@BrettCallow) July 12, 2023

Since the attack, Clop has made posts to its Telegram channel demanding victims contact them regarding the release of their data – for a price. It is unknown how many companies have contacted Clop, nor if any have paid the ransom for their data.

On July 11, Clop issued a statement attacking those who were trying to negotiate with them regarding the release of the data. In the statement, the ransomware gang implied that company stakeholders, referred to as the “big donkey king kong of company", had purposefully told negotiators to waste time. Clop alleged this was because these companies do not want to reveal that they stored all their company's sensitive data on MOVEit’s file transfer service.

Clop went on to admonish the negotiation tactics further, saying “they offer US$4,000,000 to solve and slowly give $500,000 every two days”. The gang implied that this was time wasting behavior, saying they had seen this many times before and that they were rich enough to just post the data. They also implied that should the companies be taken to court regarding the data breach, the judge would make them “pay for be[ing] stupid and los[ing] data”.

In the post, Clop also encouraged clients of financial services company TD Ameritrade to “call you[r] friend [sic] and favorite lawyer and go have [a] party to sue company who make[s] billions on you[r] cash”. On July 10, Clop threatened to leak a compressed 260GB dataset it had stolen from Ameritrade during the cyber attack.

The malicious actors also addressed the media directly, saying that the “real story” is “how mismanage this company they data [sic] and how they try to hide”, noting that of greater interest is “how bad negotiator can [expletive] everything and not take blame [sic]”.

As cl0p ransomware continues to grow in notoriety, so does their willingness to express their frustrations.

tl;dr big donkey kong king pic.twitter.com/MML4qRHjYv

— vx-underground (@vxunderground) July 11, 2023

The ransomware gang also goaded companies, telling their negotiators to come up with better jokes. Examples of said jokes were:

• We do not understand what happened, can you tell us? 
• Our committee is too busy over the weekend and we will be back on Monday. 
• $500,000 is a lot of money for this useless data.
• The data is old and we have already notified everyone on advice of our lawyers. 
• We can’t afford so much due to our insurance.  
• Our lawyers said that there are no guarantees even if payment has been made.

The gang finished by saying that can provide a “sure guarantee, pay and your data is gone”, but warned that if companies did not pay they would publish their data online. The gang urged them to choose wisely. 

Learn more about the MOVEit data breach with Cyber Security Hub’s timeline of the cyber attack.