Clop, the ransomware gang responsible for exploiting a critical security vulnerability in a popular corporate file transfer tool, has begun listing victims of the mass-hacks, including a number of U.S. banks and universities.
The Russia-linked ransomware gang has been exploiting the security flaw in MOVEit Transfer, a tool used by corporations and enterprises to share large files over the internet, since late May. Progress Software, which develops the MOVEit software, patched the vulnerability — but not before hackers compromised a number of its customers.
While the exact number of victims remains unknown, Clop on Wednesday listed the first batch of organizations it says it hacked by exploiting the MOVEit flaw. The victim list, which was posted to Clop’s dark web leak site, includes U.S.-based financial services organizations 1st Source and First National Bankers Bank; Boston-based investment management firm Putnam Investments; the Netherlands-based Landal Greenparks; and the U.K.-based energy giant Shell.
GreenShield Canada, a non-profit benefits carrier that provides health and dental benefits, was listed on the leak site but has since been removed.
Other victims listed include financial software provider Datasite; educational non-profit National Student Clearinghouse; student health insurance provider United Healthcare Student Resources; American manufacturer Leggett & Platt; Swiss insurance company ÖKK; and the University System of Georgia (USG).
A USG spokesperson, who did not provide their name, told TechCrunch that the university is “evaluating the scope and severity of this potential data exposure. If necessary, consistent with federal and state law, notifications will be issued to any individuals affected.”
Florian Pitzinger, a spokesperson for German mechanical engineering company Heidelberg, which Clop listed as a victim, told TechCrunch in a statement that the company is “well aware of its mentioning on the Tor website of Clop and the incident connected to a supplier software.” The spokesperson added that the “incident occurred a few weeks ago, was countered fast and effectively and based on our analysis did not lead to any data breach.”
None of the other listed victims have yet responded to TechCrunch’s questions.
Clop, which like other ransomware gangs typically contacts its victims to demand a ransom payment to decrypt or delete their stolen files, took the unusual step of not contacting the organizations it had hacked. Instead, a blackmail message posted on its dark web leak site told victims to contact the gang prior to its June 14 deadline.
No stolen data has been published at the time of writing, but Clop tells victims that it has downloaded “alot [sic] of your data.”
New victims come forward
Multiple organizations have previously disclosed they were compromised as a result of the attacks, including the BBC, Aer Lingus and British Airways. These organizations were all affected because they rely on HR and payroll software supplier Zellis, which confirmed that its MOVEit system was compromised.
The Government of Nova Scotia, which uses MOVEit to share files across departments, also confirmed it was affected, and said in a statement that some citizens’ personal information may have been compromised. However, in a message on its leak site, Clop said, “if you are a government, city or police service… we erased all your data.”
While the full extent of the attacks remains unknown, new victims continue to come forward.
Johns Hopkins University this week confirmed a cybersecurity incident believed to be related to the MOVEit mass-hack. In a statement, the university said the data breach “may have impacted sensitive personal and financial information,” including names, contact information, and health billing records.
Ofcom, the U.K.’s communications regulator, also said that some confidential information had been compromised in the MOVEit mass-hack. In a statement, the regulator confirmed that hackers accessed some data about the companies it regulates, along with the personal information of 412 Ofcom employees.
Transport for London (TfL), the government body responsible for running London’s transport services, and global consultancy firm Ernst and Young, are also impacted, according to BBC News. Neither organization responded to TechCrunch’s questions.
Many more victims are expected to be revealed in the coming days and weeks, with thousands of MOVEit servers — most located in the United States — still discoverable on the internet.
Researchers also report that Clop may have been exploiting the MOVEit vulnerability as far back as 2021. American risk consulting firm Kroll said in a report that while the vulnerability only came to light in late-May, its researchers identified activity indicating that Clop was experimenting with ways to exploit this particular vulnerability for almost two years.
“This finding illustrates the sophisticated knowledge and planning that go into mass exploitation events such as the MOVEit Transfer cyberattack,” Kroll researchers said.