- By Joe Tidy
- cyber correspondent
Jun 7, 2023 at 1:19 am BST
Updated 25 minutes ago
Image Source: Getty Images / PA
A prolific cybercrime gang believed to be based in Russia has issued an ultimatum to victims of a hack that has hit businesses around the world.
The Clop Group issued a warning to dark web companies affected by the MOVEit hack, urging them to email them before June 14 or the stolen data will be made public.
More than 100,000 BBC, British Airways and Boots employees have been told that payroll data may have been stolen.
Employers are asked not to pay when the hackers demand a ransom.
Cybersecurity research previously suggested that Clop could be responsible for the hack, which was first announced last week.
The criminals found a way to break into popular enterprise software called MOVEit, and then used that access to break into the databases of potentially hundreds of other companies.
Microsoft analysts said Monday they believe Clop is to blame based on the techniques used in the hack.
This has now been confirmed in a lengthy blog post written in broken English.
The post, seen by the BBC, says: “This is an announcement to educate companies using the Progress MOVEit product that there is a possibility that we may be downloading much of your data as part of an exceptional exploit.”
The post also urged victim organizations to email the gang to start negotiations on the gang’s dark web portal.
This is an unusual tactic as the hackers usually email ransom demands to victim organizations. However, in this case, they require the victims to get in touch. This could be because Clop itself cannot match the scale of the hack, which is still being processed worldwide.
“I assume they just have so much data that it’s difficult for them to keep track of it. They bet they will be contacted when they know,” says Amir Hadžipasić, CEO of SOS Intelligence.
MOVEit is provided by Progress Software in the USA for many companies to securely move files in company systems. One of its users was the UK-based payroll service provider Zellis.
Zellis has confirmed this stole data from eight UK organisations, including home addresses, social security numbers and in some cases bank details. Not all companies disclosed the same data.
Zellis customers who have experienced violations include:
- BBC
- British Airways
- Air Lingus
- Boots
The Nova Scotia government and the University of Rochester are also warning their employees that data may have been stolen through the MOVEit vulnerability.
The advice from experts is that individuals should not panic and that organizations should carry out security reviews conducted by agencies such as the Cyber Security and Infrastructure Authority in the US.
Clop claims on its leaks page that it deleted any data from government, city, or police services.
“Don’t worry, we have deleted your data. You don’t have to contact us. We have no interest in disclosing such information.”
However, researchers say the criminals cannot be trusted.
“Clop’s claim to have deleted information on public sector organizations should be taken with a pinch of salt. If the information has monetary value or could be used for phishing, it’s unlikely they just dumped it,” Brett Callow told Emsisoft researchers threateningly.
Cyber security experts have long followed exploits from Clop, which is believed to be based in Russia since it mostly operates on Russian-language forums.
Russia has long been accused of being a safe haven for ransomware gangs — which it denies.
However, Clop runs as a “ransomware as a service” group, meaning hackers can rent their tools to launch attacks from anywhere.
At the time, authorities claimed to have cracked down on the group they say is responsible for extorting $500 million from victims around the world.
But Clop continues to be an ongoing threat.