Last updated on May 8th, 2024 at 11:47 pm
On Friday, the State of Illinois and the Minnesota Department of Education both revealed they were victims of the Cl0p ransomware gang. Cl0p exploited a vulnerability in file transfer software MOVEit at the end of May, breaching up to hundreds of organizations worldwide.
Minnesota Department of Education
The Minnesota Department of Education (MDE) reported that 24 of their files were accessed using the exploit on May 31st, the same day they were made aware of the vulnerability.
These 24 files contained information on 95,000 students in foster care, 124 students in the Perham School District, 29 students at Hennepin Technical College, and 5 students who took a particular bus route.
The stolen information included student names, addresses, dates of birth, and, in the case of students at Hennepin Technical College, academic transcripts and the last 4 digits of the students’ SSNs. However, MDE reported that financial information was not accessed.
State of Illinois
The Illinois Department of Innovation & Technology (DoIT) reported its security teams responded to Cl0p’s attack “within minutes” and kicked the gang out of its networks “within three hours”. Nonetheless, it “believes a large number of individuals could be impacted” by the hack.
DoIT is carrying out an investigation to figure out the scope of the attack and identify whose information was stolen. Once it has done so, it will make a public announcement and set up a call center to help those who were affected.
Ransom demands
While MDE claimed “there have been no ransom demands” in their press release, Cl0p posted a message to all affected organizations on their leak site. In the message, Cl0p asked organizations to contact them to negotiate the price to delete their stolen information.
The gang added, “If you are a government, city or police service do not worry, we erased all your data.” Whether the cybercriminals can be trusted, however, remains to be seen.
Update June 14th
The State of Missouri announced on June 13th that they had also been impacted by the MOVEit vulnerability. In a public statement, the state’s Office of Administration noted that they were investigating the incident and would make a public announcement “once entities, individuals, or systems who may have been impacted are identified.”