Ransomware gang Cl0p has exploited a vulnerability in file transfer software MOVEit to compromise companies around the world. Security researcher Kevin Beaumont estimates “there are over one hundred” organizations affected by the attack, with British Airways, the BBC and Boots already confirmed as victims.
Cl0p posted a message to companies who use MOVEit on their data leak site, which has been shared by security researchers on Twitter. The ransomware gang warns companies, “chance is we download alot [sic] of your data as part of exceptional exploit.”
The gang is instructing affected companies to reach out to them by June 14th to negotiate a price for deleting their stolen data. As part of the negotiations, Cl0p says it will name a “price to delete” the company’s information and will allow the company to “ask for 2-3” random files “as proof we are not lying.”
Cl0p says negotiations about price may take up to 3 days. If no agreement is reached after that, the gang will create a page for the company on their leak site. They will begin to publish the affected company’s data “after 7 days” and “after 10” will close communications and continue to publish the stolen information.
Emsisoft threat analyst Brett Callow warns customers of affected companies may also be contacted by Cl0p. As an example, he points to an email sent to a customer of a company breached by the gang in 2021.
The email detailed the customer’s personal information and threatened to use it for “spam mailings and other fraudulent transactions on the internet” if the company refused to pay. The gang urged the customer to “call the company and demand deletion of your data.” In other words, the gang was using customers to pressure the company into paying.
However, paying ransomware gangs is not recommended by the FBI. Although Cl0p claims otherwise, there’s no guarantee a gang will delete a company’s information even after they receive payment. They are criminals, after all. Plus, paying ransomware gangs proves their methods are effective, encouraging future attacks.