The Clop ransomware gang revealed to BleepingComputer that they are behind the MOVEit Transfer data theft attacks. A zero-day vulnerability was confirmed to be used in these attacks, in which multiple companies infiltrated their servers and stole data.
Stating that they are behind the hacker group that Microsoft follows as 'Lace Tempest', namely TA505 and FIN11, the representative of Clop confirmed that they started to exploit the vulnerability on May 27, during the United States' long Memorial Day holiday. According to information previously disclosed by Mandiant, staging attacks around the holidays, large-scale exploitation attacks that occur when personnel are at their lowest, is a common tactic of the Clop ransomware operation.
For example, on December 23, 2020, at the start of the Christmas holiday, they took advantage of the Accelion FTA zero-day vulnerability to steal data.
Clop did not share how many companies were affected by the MOVEit Transfer attacks, but stated that if the ransom is not paid, the victims will be published on the data leak site.
Furthermore, the ransomware gang has confirmed that they haven't started blackmailing the victims yet, possibly using the time to examine the data and identify what is valuable and evaluate how it can be used for ransom demands from the hacked companies.
In past GoAnywhere MFT attacks, Clop waited more than a month to email ransom demands to organizations.
Finally, the ransomware gang reluctantly told BleepingComputer that they deleted the data of governments, military units, and children's hospitals during these attacks.
"I want to say that we did not attack targeted institutions such as military units, children's hospitals, HÜK etc. and their data was deleted," Clop said in his email.
BleepingComputer cannot verify the veracity of these claims and reminds that, as with any data theft attack, all affected organizations should assume that data is vulnerable to misuse.
Although Clop initially started as a ransomware operation, the group has come to favor data theft and blackmail over encryption, as previously told BleepingComputer.
We've also seen the first statements from companies affected by the first victims Clop's MOVEit data theft attacks.
Zellis, a UK-based provider of salary and human resources solutions, confirmed that they suffered a data breach due to these attacks, affecting some of their customers.
"Many companies around the world have been impacted by a zero-day vulnerability in Progress Software's MOVEit Transfer product," Zellis said.
"We can confirm that a small number of our customers are affected by this global issue and we are actively working to support them. Zellis proprietary software is unaffected and there are no issues or breaches in any part of our IT infrastructure."
Aer Lingus confirmed that they experienced a breach through the Zellis MOVEit attack.
However, Aer Lingus' statement said, "However, it has been confirmed that financial or banking information of current or former employees of Aer Lingus was not affected in this incident."
Likewise, British Airways has been confirmed to have been affected by the Zellis breach.
Unfortunately, as with the previous Clop attacks, many companies are expected to make statements about these attacks against managed file transfer platforms in the future.
