The Clop ransomware gang told BleepingComputer that they were behind the MOVEit Transfer data theft attacks, where a zero-day vulnerability was used to compromise multiple companies’ servers and steal data.
This confirms Microsoft’s Sunday night attribution to a hacker group they’re tracking as “Lace Tempest,” also known as TA505 and FIN11.
A Clop spokesperson also confirmed that they began exploiting the vulnerability on May 27, the long US Memorial Day holiday, as previously reported by Mandiant.
Attacking during the holidays is a common tactic for Operation Clop ransomware, which has previously undertaken large-scale exploitation attacks during holidays when staffing is minimal.
For example, they exploited a similar Accellion FTA zero-day vulnerability on December 23, 2020 to steal data just in time for the Christmas holiday.
While Clop did not share the number of organizations compromised in the MOVEit Transfer attacks, they said victims would be listed on their data breach website if the ransom was not paid.
Furthermore, the ransomware gang confirmed that they have not started extorting victims, perhaps using the time to review data and determine what is valuable and how it can be used to increase ransom demand from compromised companies.
In the gang’s recent GoAnywhere MFT attacks, Klopp waited more than a month to send ransom demands to organizations.
Finally, and without prompting, the ransomware gang told BleepingComputer that they have deleted any data stolen from governments, the military, and children’s hospitals in these attacks.
“I want to tell you right away that the military, children’s hospitals, GOV, etc. are being attacked and their data has been deleted,” Klopp said in an email to BleepingComputer.
BleepingComputer does not in any way confirm whether these claims are accurate, and as with any data breach attack, all affected organizations should treat this as if data were at risk for misuse.
While Clop started out as a ransomware operation, the group previously told BleepingComputer that they are moving away from encryption and favoring data mining instead.
The first victims appear
We also saw our first findings from organizations breached in Clop’s MOVEit data theft attack.
UK payroll and HR solutions provider Zellis has confirmed it suffered a data breach as a result of the attacks, which also affected some of its customers.
“A large number of companies around the world have been affected by a zero-day vulnerability in Progress Software’s MOVEit Transfer product,” Zellis said in a statement to BleepingComputer.
“We can confirm that a small number of our customers have been affected by this global issue and we are actively working to support them. All software owned by Zellis is intact and there are no incidents or compromises with any other part of our IT estate. “.
“When we became aware of this incident, we took immediate action by shutting down the server running the MOVEit software and bringing in an expert external security incident response team to assist with forensic analysis and ongoing monitoring. We have also informed the ICO, DPC and NCSC. both in Great Britain and Ireland.’
Aer Lingus confirmed to BleepingComputer that they were breached by the Zellis MOVEit compromise.
“However, it has been confirmed that no financial or banking information relating to current or former Aer Lingus employees was compromised during this incident,” Aer Lingus said in a statement.
“It has also been confirmed that no telephone contact details relating to current or former Aer Lingus employees have been compromised.”
As reported by The Record, British Airways also confirmed that they were affected by the Zellis breach.
Unfortunately, as we’ve seen with previous Clop attacks on managed file transfer platforms, we’ll likely see a long stream of company disclosures as time goes on.