Earlier this week, ransomware operator Clop began listing victims affected by the MOVEit data breach on its data breach website, media reported. According to TechCrunch report, among the first victims named on the site are 1st Source and First National Bankers Bank, Putnam Investments, Landal Greenparks, Shell, Datasite, National Student Clearinghouse, United Healthcare Student Resources, Leggett & Platt, ÖKK, University System of Georgia.
These organizations come from many different industries, including finance, education, energy, IT, healthcare, and more.
It was also reported that GreenShield Canada, a non-profit organization that provides health care and dental benefits, was listed and subsequently removed from the data breach site. While this cannot be determined at this time, it is possible that the non-profit organization agreed to and paid the ransom note to remove their data from the site.
While these are the first companies that the Clop ransomware gang itself posted on the leak page, they are not generally the first companies to be affected by the incident. HR and payroll software provider Zellis confirmed that its systems were compromised early last week and, given that it provides its services to some of the UK’s largest companies, the data leak has been discovered. As a result, the BBC, British Airways and Aer Lingus confirmed the theft of sensitive data from their facilities.
Moreover, Johns Hopkins University as well as Ofcom have also confirmed that they have been hit. The Nova Scotia government and Transport for London (TfL) have also been hit, but it’s too early to tell whether Clop will release their files or not. In his original announcement, the cybercrime actor said, “If you represent a government, city or police force…we’ve erased all your data.”
The BBC also claims that Ernst and Young were also affected.
Analysis: why does it matter?
Data is the fuel of almost every hacking attempt. Using sensitive, personally identifiable information, hackers can launch all kinds of cyberattacks, from electronic fraud to identity theft, from additional ransomware attacks to business email (BEC) compromise. Today, most successful breaches start with a phishing email, and if an email can be highly personalized, it adds a dangerous dose of legitimacy to an easy-to-find threat. If Clop does indeed release sensitive data belonging to employees, clients and clients of dozens, if not hundreds, of companies around the world, it could trigger a wave of secondary attacks that will not subside for many years.
In addition, data loss in this way harms the victim’s company in many ways. The most obvious of these is business loss – restoring the system takes time and money, and while the victim is busy doing just that, the competition is well ahead. In addition, consumers and other businesses are known to abandon companies that have lost their personal data and relocate their business elsewhere. For some, this loss of confidence can be permanent and could cause businesses to shut down entirely.
Finally, there are state and regulatory matters. Most countries around the world now have strict data security rules, and breaking them can result in fines. Data protection laws, such as the EU’s GDPR, spell out exactly what companies must do to keep employee, customer and client data safe and how they must behave in the event of a cyberattack.
Although Clop exploited the zero-day vulnerability to access data via malware, further investigation will determine whether individual companies did their best to protect their data, and fines could run into millions of dollars if not.
What have others said about the data breach?
In the first days of June reported Reuters hackers exploiting a vulnerability in a popular file transfer tool to steal data. At the time, it was not known who was behind the attack or what his motivations were. Among other things, the report stated that the file transfer tool managed by MOVEit, created by Progress Software, had about two dozen users: “MoVEit Transfer was used by a relatively “small” number of customers compared to other software, which is more than 20.” Ian Pitt, chief computer scientist at Progress, told Reuters.
TechCrunch he also added that the way Clop works is similar to that of other ransomware operators and that the cybercriminal is expected to reach out to victims and demand ransom payments to decrypt or delete the stolen files. However, in this incident, Clop chose not to contact anyone and instead simply left a blackmailing message on his leak page and told victims to contact themselves.
The deadline for the first announcement expired on June 14.
If you want to know more about secure file transfer solutions, you can start by reading our in-depth guide Here. We also have a guide best file transfer software now, as well as a guide to the best ways to share large files. Also read about phishing with our “What is phishing” article as well as “Everything you need to know about phishing“.