The Clop ransomware gang has told BleepingComputer they are behind the MOVEit Transfer data-theft attacks, where a zero-day vulnerability was exploited to breach multiple companies’ servers and steal data.
This confirms Microsoft’s Sunday night attribution to the hacking group they track as ‘Lace Tempast,’ also known as TA505 and FIN11.
The Clop representative further confirmed that they started exploiting the vulnerability on May 27th, during the long US Memorial Day holiday, as previously disclosed by Mandiant.
Conducting attacks around holidays is a common tactic for the Clop ransomware operation, which has previously undertaken large-scale exploitation attacks during holidays when staff is at a minimum.
For example, they exploited a similar Accellion FTA zero-day vulnerability on December 23rd, 2020, to steal data right at the start of the Christmas holiday.
While Clop stated they would not share the number of organizations breached in the MOVEit Transfer attacks, they said that victims would be displayed on their data leak site if a ransom was not paid.
Furthermore, the ransomware gang confirmed that they have not begun to extort victims, likely using the time to review data and determine what is valuable and how it could be used to leverage a ransom demand from breached companies.
In the gang’s recent GoAnywhere MFT attacks, Clop waited over a month to email ransom demands to organizations.
Finally, and unprompted, the ransomware gang told BleepingComputer that they had deleted any data stolen from governments, the military, and children’s hospitals during these attacks.
“I want to tell you right away that the military, children’s hospitals, GOV etc like this we no to attack, and their data was erased,” Clop said in their email to BleepingComputer.
BleepingComputer has no way of confirming if these claims are accurate, and like any data-theft attack, all impacted organizations should treat it as if the data is at risk for abuse.
While Clop started as a ransomware operation, the group previously told BleepingComputer that they are moving away from encryption and prefer data-theft extortion instead.
First victims come forward
We also saw our first disclosures from organizations breached in Clop’s MOVEit data-theft attacks.
UK payroll and HR solutions provider Zellis confirmed that it suffered a data breach due to these attacks, which also impacted some of its customers.
“A large number of companies around the world have been affected by a zero-day vulnerability in Progress Software’s MOVEit Transfer product,” Zellis told BleepingComputer in a statement.
“We can confirm that a small number of our customers have been impacted by this global issue and we are actively working to support them. All Zellis-owned software is unaffected and there are no associated incidents or compromises to any other part of our IT estate.”
“Once we became aware of this incident we took immediate action, disconnecting the server that utilises MOVEit software and engaging an expert external security incident response team to assist with forensic analysis and ongoing monitoring. We have also notified the ICO, DPC, and the NCSC in both the UK and Ireland.”
Aer Lingus confirmed to BleepingComputer that they suffered a breach through the Zellis MOVEit compromise.
“However, it has been confirmed that no financial or bank details relating to Aer Lingus current or former employees were compromised in this incident,” reads a statement from Aer Lingus.
“It has also been confirmed that no phone contact details relating to Aer Lingus current or former employees were compromised.”
As reported by The Record, British Airways has also confirmed the Zellis breach impacted them.
Unfortunately, as we have seen with previous Clop attacks on managed file transfer platforms, we will likely see a long stream of company disclosures as time goes on.