Clop, the ransomware gang that exploited a critical security vulnerability in a popular corporate file transfer tool, has begun listing victims of the mass-hacks, including several U.S. banks and universities.
Since late May, the Russia-linked ransomware gang has exploited MOVEit Transfer, a tool used by corporations and enterprises to share large files online. Progress Software, which makes MOVEit, patched the vulnerability after hackers compromised several customers.
Clop listed the first organizations it hacked using the MOVEit flaw on Wednesday. The dark web leak site of Clop lists 1st Source, First National Bankers Bank, Putnam Investments, Landal Greenparks, and Shell as victims.
The leak site removed GreenShield Canada, a non-profit health and dental benefits carrier.
Datasite, National Student Clearinghouse, United Healthcare Student Resources, Leggett & Platt, ÖKK, and USG are also victims.
USG is “evaluating the scope and severity of this potential data exposure,” a spokesperson . According to federal and state law, affected parties will be notified.
“Well aware of its mentioning on the Tor website of Clop and the incident connected to a supplier software,” Heidelberg spokesperson Florian Pitzinger . “Incident occurred a few weeks ago, was countered fast and effectively and based on our analysis did not lead to any data breach,” the spokesperson said.
Clop, like other ransomware gangs, did not contact the organizations it hacked to demand a ransom to decrypt or delete their stolen files. Instead, a blackmail message on its dark web leak site told victims to contact the gang by June 14.
Clop claims to have downloaded “alot [sic] of your data,” but no stolen data has been published.
Victims emerge
BBC, Aer Lingus, and British Airways were compromised by the attacks. Zellis’ MOVEit system was compromised, affecting these organizations.
Nova Scotia, which uses MOVEit to share files across departments, confirmed it was affected and said some citizens’ personal information may have been compromised. “If you are a government, city or police service… we erased all your data,” Clop said on its leak site.
New victims are coming forward, but the extent of the attacks is unknown.
Johns Hopkins University confirmed a MOVEit mass-hack-related cybersecurity incident this week. The university said the data breach “may have impacted sensitive personal and financial information,” including names, contact information, and health billing records.
The MOVEit mass-hack also exposed confidential information, according to Ofcom. The regulator confirmed that hackers accessed company data and 412 Ofcom employees’ personal data.
BBC News reports that Transport for London (TfL) and Ernst and Young are also affected. received no responses.
With thousands of MOVEit servers, most in the US, still accessible online, more victims are expected to emerge.
Researchers also believe Clop exploited MOVEit in 2021. Kroll, an American risk consulting firm, reported in late May that Clop had been experimenting with exploiting this vulnerability for almost two years.
Kroll researchers noted that mass exploitation events like the MOVEit Transfer cyberattack require sophisticated knowledge and planning.
Clop exploited Fortra’s GoAnywhere and Accellion’s file transfer tools in previous mass attacks.