The Latest on Clop Ransomware and the MOVEit Vulnerability

Update: December 13, 2023

As of December 1, Flashpoint has identified 2,098 victims of exploitation of the MOVEit vulnerability, including third-party victims that did not use MOVEit but whose data was exposed by a service provider.

Update: June 29, 2023

Victim count rises to 137.

Update: June 20, 2023

After several days without new victims, Clop ransomware has added a new batch of victims to its website, bringing the total number of alleged victims to above 70.

The Clop Ransomware attack

The Clop Ransomware gang has been exploiting the MOVEit vulnerability to gain access to a growing list of companies, including several US federal agencies, the names of which the cybercriminal organization has been steadily releasing since Wednesday, June 13. 

As of this publishing, Clop has listed a total of 64 organizations on its data leak site, with nearly every major industry affected. A growing number of the victims have confirmed the breaches. 

On Wednesday, June 14, the deadline set by Clop ransomware for victims targeted during a mass breach of Progress Software’s MOVEit Transfer tool passed. Non-compliance or negotiation would result in their exposure on the group’s blog, as per the threat issued by the attackers.

More names were revealed on June 15 and again on June 16.

Timeline: Clop Ransomware exploits MOVEit

Clop began exploiting a zero-day vulnerability in the MOVEit Transfer system on May 27. Although it claimed to breach multiple companies’ servers with this vulnerability, it did not immediately extort the victims. 

On May 31, Progress Software publicly disclosed the vulnerability and released an initial patch, as well as recommended remediation steps. However, more vulnerabilities affecting MOVEit have been recently discovered.

On June 5, Zellis UK, a payroll and HR solutions provider, confirmed that it had been compromised by the vulnerability. The attack on Zellis directly led to the compromise of several other organizations within its supply chain.

A day later, Clop officially claimed credit for exploiting the MOVEit vulnerability. Clop also claimed to have deleted any data related to governments, military, and children’s hospitals. However, several US federal agencies and government contractors are known to have been affected by the recent Clop ransomware attack. 

The following day, on June 7, the FBI and CISA released a joint Cybersecurity Advisory (CSA) providing the known Clop ransomware group tactics, techniques, and procedures as of June 2023, information concerning the MOVEit vulnerability, a list of the known indicators of compromise (IOCs), and recommended mitigation steps for affected parties.

Less than a week later, Clop began to publish its list of victims.

Victims and industries affected

As of this publishing there are more than 60 victim organizations globally, many of which have come forward, that operate in the following industries and sectors: 

• Airline
• Industrial
• Retail
• Consulting and General Business
• Education
• Government and Public Sector
• Financial services and banking
• Healthcare
• Broadcasting and Telecom
• Insurance
• Transportation
• Software
• Oil and gas
• Technology
• Manufacturing

Flashpoint continues to monitor the Clop ransomware blog and other sources for updates on the MOVEit Transfer zero-day vulnerability victims.

Get ahead of cyber extortion events

Ransomware response is equally as important as prevention. In the event that an organization is impacted by ransomware, having a well-practiced incident response plan can greatly minimize damages. To learn more about how Flashpoint empowers security teams to prevent and respond to ransomware attacks, contact us, sign up for a free trial, or watch this video to understand the top ways to prevent a ransomware attack at your organization.