Blog

The Latest on Clop Ransomware and the MOVEit Vulnerability

Clop ransomware has publicly claimed to have breached more than 60 organizations across nearly every global industry, including governments and financial institutions

Default Author Image
Flashpoint Intel Team
June 16, 2023
Table Of Contents
Table of Contents
The Clop Ransomware Attack
Timeline: Clop RansomwaWhat is the MOVEit Vulnerability and How Did CL0P Exploit It?
Who were the Victims and Industries Affected?
Get ahead of Cyber Extortion Events
Frequently Asked Questions (FAQs)
More
subscribe to our newsletter

Update: December 13, 2023

As of December 1, Flashpoint has identified 2,098 victims of exploitation of the MOVEit vulnerability, including third-party victims that did not use MOVEit but whose data was exposed by a service provider.

Update: June 29, 2023

Victim count rises to 137.

Update: June 20, 2023

After several days without new victims, Clop ransomware has added a new batch of victims to its website, bringing the total number of alleged victims to above 70.

The Clop Ransomware Attack

The Clop Ransomware gang has been exploiting the MOVEit vulnerability to gain access to a growing list of companies, including several US federal agencies, the names of which the cybercriminal organization has been steadily releasing since Wednesday, June 13. 

As of this publishing, Clop has listed a total of 64 organizations on its data leak site, with nearly every major industry affected. A growing number of the victims have confirmed the breaches. 

On Wednesday, June 14, the deadline set by Clop ransomware for victims targeted during a mass breach of Progress Software’s MOVEit Transfer tool passed. Non-compliance or negotiation would result in their exposure on the group’s blog, as per the threat issued by the attackers.

More names were revealed on June 15 and again on June 16.

What is the MOVEit Vulnerability and How Did CL0P Exploit It?

Clop began exploiting a zero-day vulnerability in the MOVEit Transfer system on May 27. Although it claimed to breach multiple companies’ servers with this vulnerability, it did not immediately extort the victims. 

On May 31, Progress Software publicly disclosed the vulnerability and released an initial patch, as well as recommended remediation steps. However, more vulnerabilities affecting MOVEit have been recently discovered.

On June 5, Zellis UK, a payroll and HR solutions provider, confirmed that it had been compromised by the vulnerability. The attack on Zellis directly led to the compromise of several other organizations within its supply chain.

A day later, Clop officially claimed credit for exploiting the MOVEit vulnerability. Clop also claimed to have deleted any data related to governments, military, and children’s hospitals. However, several US federal agencies and government contractors are known to have been affected by the recent Clop ransomware attack. 

The following day, on June 7, the FBI and CISA released a joint Cybersecurity Advisory (CSA) providing the known Clop ransomware group tactics, techniques, and procedures as of June 2023, information concerning the MOVEit vulnerability, a list of the known indicators of compromise (IOCs), and recommended mitigation steps for affected parties.

Less than a week later, Clop began to publish its list of victims.

Related reading

Everything you need to know about Clop Ransomware

Read the blog

Who were the Victims and Industries Affected?

As of this publishing there are more than 60 victim organizations globally, many of which have come forward, that operate in the following industries and sectors: 

  • Airline
  • Industrial
  • Retail
  • Consulting and General Business
  • Education
  • Government and Public Sector
  • Financial services and banking
  • Healthcare
  • Broadcasting and Telecom
  • Insurance
  • Transportation
  • Software
  • Oil and gas
  • Technology
  • Manufacturing

Flashpoint continues to monitor the Clop ransomware blog and other sources for updates on the MOVEit Transfer zero-day vulnerability victims.

Get ahead of Cyber Extortion Events

Ransomware response is equally as important as prevention. In the event that an organization is impacted by ransomware, having a well-practiced incident response plan can greatly minimize damages. To learn more about how Flashpoint empowers security teams to prevent and respond to ransomware attacks, contact us, sign up for a free trial, or watch this video to understand the top ways to prevent a ransomware attack at your organization.

Frequently Asked Questions (FAQs)

What is the MOVEit vulnerability and how does Flashpoint Ignite track it?

The MOVEit vulnerability is a critical supply chain flaw within Flashpoint Ignite’s monitoring scope that was famously exploited by the CL0P ransomware group. Flashpoint Ignite tracks this threat by providing real-time alerts on the CVE and monitoring the CL0P “Wall of Shame” for new victim postings. This allows organizations to see if their data or the data of their third-party vendors has been compromised long before official notifications are sent.

Attack ComponentFlashpoint Ignite Strategic Benefit
Vulnerability DataProvides technical details on CVE-2023-34362 via VulnDB.
Leak Site MonitoringAutomatically scrapes the CL0P site for mentions of your domain.
Exposure MappingIdentifies which of your vendors are listed as MOVEit victims.

How does Flashpoint help organizations defend against CL0P ransomware?

Flashpoint helps defend against CL0P ransomware by providing visibility into the group’s evolving extortion tactics and technical indicators. While CL0P has moved toward an “extortion-only” model, Flashpoint continues to track their infrastructure and the specific web shells they use to harvest data. By integrating these indicators into your security tools, you can detect the early signs of a CL0P intrusion and stop the data exfiltration before it reaches the group’s leak site.

  • Indicator Delivery: Provides IPs and file hashes associated with CL0P’s MOVEit campaign.
  • Extortion Alerts: Notifies you as soon as your company data appears in criminal chat rooms.
  • Actor Intelligence: Decodes the motivations and future targets of the CL0P leadership.

Why is Flashpoint’s supply chain intelligence vital for MOVEit-style attacks?

Flashpoint’s supply chain intelligence is vital because modern breaches often occur through a trusted third-party vendor rather than a direct attack. During the MOVEit crisis, many firms were affected because their partners used the flawed software. Flashpoint provides a clear view of this “ripple effect” by monitoring the dark web for stolen data clusters, helping you identify which parts of your supply chain have been breached so you can isolate your own network and protect your assets.

Supply Chain RiskFlashpoint Integrated Response
Vendor ExposureIdentifies if your cloud or file-sharing partners have been compromised.
Data LeakageScans for proprietary documents leaked from a partner’s network.
Compliance RiskHelps you meet reporting rules by confirming the date and scope of a leak.

Request a demo today.

Request a Demo

Contact Sales