When the ransomware group 'Cl0p' exposes confidential information to hundreds of companies, the ultimatum of extortion, BBC and airlines are also threatened and it develops into a super large incident and the deadline approaches



It has become clear that hundreds of companies have been attacked by ransomware and demanded ransom by a hacker group called ' Cl0p (Clop) '. The vulnerability exploited by Cl0p has already been identified, and the Federal Bureau of Investigation (FBI) and the United States Cybersecurity and Infrastructure Security Agency (CISA) have jointly published a countermeasure report.

#StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability | CISA
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a

Observed Exploitation of MOVEit Transfer Vulnerability CVE-2023-34362 | Rapid7 Blog
https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/

Ransomware group Clop issues extortion notice to 'hundreds' of victims
https://therecord.media/clop-extortion-hundreds-organizations-moveit-vulnerability

Clop crew sets extortion deadline for MOVEit victims • The Register
https://www.theregister.com/2023/06/07/clop_crew_sets_extortion_deadline/

On May 31, 2023, before the activities of Cl0p were revealed, it was found that there was a serious vulnerability in the file transfer tool `` MOVEit Transfer '' developed by the software development company Progress. After that, in early June 2023, an attack was confirmed by exploiting the vulnerability, and on June 5, 2023, Microsoft said, ``Exploiting the vulnerability is known for deploying Cl0p. The cybercriminal group Lace Tempest.'




After that, it turned out that the attack by Cl0p reached hundreds of companies, including the major British media 'BBC' and the airline 'British Airways'. According to information released by the FBI and CISA, the following emails were received by companies attacked by Cl0p.

Hello. I'm Cl0p from hacker group. As you know, we recently carried out a hack and it was reported by the news site '[REDACTED]'.

We have stolen important data from your GoAnywhere MFT (File Transfer Tool) resource. I am attaching a list of files as proof.

We would like to negotiate with you or the person in charge without disclosing your organization name. But if you ignore it, we sell the stolen data on the black market and publish it on our blog, which has 30,000-50,000 visitors per day. You can find out more about us at [REDACTED] by searching for 'CLOP hacker group'.



According to reports, Cl0p set the ransom payment deadline to June 12, 2023, but extended the deadline to June 14, 2023. In addition, the ransom payment method was specified in the following message.

Step 1: List your organization on this page if you have not heard from us by June 14, 2023.
Step 2: Once you receive the chat URL, visit the link and introduce yourself.
Step 3: We will present 10% of the data we hold as evidence and present the cost of deletion.
Step 4: We can give you a couple of files to prove we're not lying.
Step 5: You have 3 days to negotiate the price.
Step 6: After 7 days, start preparing your data for publication.
Step 7: Chat expires in 10 days.



The FBI and CISA recommend the following actions to mitigate Cl0p attacks:
・Make an inventory of the information you own and clarify which devices and software are permitted to access the information and which devices and software are not permitted.
・Administrator privileges and access privileges are granted only when necessary.
• Create an allow list to run only legitimate software.
- Monitor the network and enable security configurations for devices in the network.
・Perform software updates and vulnerability assessments on a regular basis.

in Security, Posted by log1o_hf