Ransomware gang Clop, who was responsible for a cyber attack on data transfer service MOVEit, has issued a threat to all those affected by the breach.
The attack on MOVEit directly led to a data breach affecting payroll services provider Zellis, as the company uses MOVEit as a third-party provider. This exposed the data for over 100,000 employees from a number of companies including the British Broadcasting Company (BBC), health and beauty retailer Boots and UK airline British Airways. This data includes all data employees will have provided for payroll purposes including their names, home and email addresses, dates of birth, UK National Insurance number, bank details and phone number.
The threat, which was issued via the dark web, tells the companies affected to contact the ransomware group by June 14 or their data will be posted online. According to the BBC, a victim of the cyber attack, the post addressed the others affected by the attack: “This is [sic] announcement to educate companies who use Progress MOVEit product that chance is that we download [sic] a lot of your data as part of [sic] exceptional exploit.”
The post went on to urge victims to contact the gang via their darknet portal to begin a negotiation for the release of their or their fellow employee’s data.
Usually, ransomware demands are sent directly to victims rather than requesting victims get in touch. This unusual action has prompted some speculation on why Clop would proceed in this way, with Amir Hadžipasić, CEO of cyber security software company SOS Intelligence, telling the BBC that he predicts that the malicious actors “just have so much data that it is difficult for them to get on top of it all” and that they are “betting” on victims contacting them.
Only employees who work for local or national government or the police services may be safe from the attack, with Clop addressing them directly. The ransomware gang told these employees to “not worry”. They continued, saying “we erased your data you do not need to contact us. We have no interest to expose [sic] such information”. The legitimacy of this statement has been called into question, however.
The cyber attack on MOVEit and Zellis
The cyber attack against MOVEit saw Clop exploit of a critical vulnerability in MOVEit’s infrastructure. This allowed the malicious actors to break into multiple company networks and steal data.
The vulnerability was flagged by security researchers and the US government on June 1. The US Cybersecurity and Infrastructure Security Agency (CISA) urged all MOVEit clients to check for indications that malicious actors had gained unauthorized access to their networks over the past 30 days and to download and install the software patch released by MOVEit to address the issue.
On June 5, a third-party user of MOVEit, Zellis, issued a statement to its users that MOVEit had been the victim of a cyber attack. The payroll services company explained that this had lead to a “small number of [its] customers [were] impacted by this global issue”, meaning their employee data had been breached.
Once Zellis became aware of the attack, the company disconnected its server that utilizes MOVEit software and engaged an external cyber security company to conduct a forensic investigation into the cyber attack and to further monitor its systems. The Information Commissioner’s Office (ICO), the Data Protection Commission (DPC) and the National Cyber Security Center (NCSC) in both the UK and Ireland have also been contacted regarding the cyber security incident.