Cybercrime group Clop demands organisations enter into negotiations
BBC, British Airways, Boots, and Aer Lingus are among the latest victims of a large-scale cyberattack orchestrated by a Russian-speaking cybercrime group known as Clop. Staff have been warned personal data including national insurance numbers and in some cases bank details may have been stolen.
The group has stolen personal details of over 100,000 staff members across these organisations and has issued an ultimatum for ransom negotiations. The affected companies have been commanded to contact Clop by 14th June, or else the stolen data, which includes sensitive information such as names, addresses, national insurance numbers, and bank details, will be published online. Clop exploited a vulnerability in the MOVEit software, used for secure file transfer within internal networks, gaining unauthorised access to multiple victims in one mass hack.
Six organisations, including Aer Lingus and the University of Rochester, have confirmed being impacted by the attack. While some organisations directly used MOVEit, others outsourced their payroll services to a third-party provider called Zellis, which was also affected. Clop claims to possess information on hundreds of companies and hints at conducting a penetration testing service after the fact.
The demand for ransom negotiations does not specify a specific sum but requires the affected businesses to enter into negotiations with the cybercriminal group. This type of attack, known as “doxware,” represents an escalation in ransomware tactics. Rather than simply encrypting data and demanding a ransom for its release, the hackers directly steal the data and threaten to publish it unless the ransom is paid. This approach prevents organisations from simply restoring their data from backups and disregarding the ransom demands. While paying ransom demands is generally discouraged, there is a risk that some affected companies may succumb to the pressure.
It is crucial for the impacted organisations to be transparent with their employees and customers, offering support and guidance on protecting themselves from further attacks.
A MOVEit spokesperson said: “Our customers have been, and will always be, our top priority. When we discovered the vulnerability, we promptly launched an investigation, alerted MOVEit customers about the issue and provided immediate mitigation steps.”
They added: “We are continuing to work with industry-leading cybersecurity experts to investigate the issue and ensure we take all appropriate response measures. We have engaged with federal law enforcement and other agencies with respect to the vulnerability.”