View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Cl0p issues deadline to British Airways and BBC after cyberattack exploiting MOVEit Transfer vulnerability

Hundreds of companies have been exposed in the breach, the criminals say. They have a week to pay up or face the consequences.

By Claudia Glover

Companies impacted by a massive ransomware attack, including British Airways, the BBC and Boots, have been given a deadline of June 14 to negotiate for the release of their data or face it being published online. Russian criminal gang Cl0p has taken responsibility for the breach, which saw it initially hit payroll software company Zellis using a vulnerability in the MOVEit Transfer file transfer software. Cl0p claims hundreds of businesses have been exposed in the breach.

BBC employees have seen their data fall into the hands of Russian cybergang Cl0p (Photo by IR Stone/Shutterstock)

Cl0p used the MOVEit Transfer vulnerability to access information on Zellis servers. The company supplies payroll services to a host of big name clients, including BA, the BBC, Boots and a third of the FTSE 100. As a result, records on hundreds of thousands of employees of at least eight businesses that work with Zellis have fallen into the hands of hackers.

MOVEit Transfer vulnerability victims given deadline by Cl0p

Last week security companies flagged a zero-day vulnerability in MOVEit Transfer, owned by Progress Software, which appeared to be under active exploitation. Microsoft security researchers later confirmed the criminals exploiting the loophole were members of Cl0p.

The bug has since been patched, but with over 3,000 internet-facing servers running MOVEit Transfer, many businesses have been exposed. Zellis is one of these, and confirmed on Monday data on some of its customers had been stolen by Cl0p. In addition to BA, the BBC and Boots, Irish airline Aer Lingus, Rochester University and the Government of Nova Scotia have also confirmed that they are among the victims.

In a blog post published today, Cl0p refers to itself as a “penetration testing service” rather than a cybercriminal gang. The post explains that a lot of data from “hundreds” of companies has been exfiltrated through the “exceptional exploit” of the MOVEit Transfer product.

What will Cl0p do next?

Cl0p offers 10% of a victim’s data to prove its validity, as well as two to three files on an individual basis “as proof we are not lying”. Each negotiation period will last three days and the deadline to pay is June 14. If this deadline is missed, the data will be published, the hackers have warned.

The amount of ransom being demanded from each company has not been published.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Though the group maintains it has deleted any data from “government, city or police services”, this is a common tactic of ransomware gangs to try to avoid excessive law enforcement activity. It is very common, however, that data from such institutions is exploited anyway.

“Cl0p’s claim to have deleted information relating to public sector organisations should be taken with a pinch of salt. If the information has monetary value or could be used for phishing, it’s unlikely that they will simply have disposed of it,” Brett Callow, threat researcher from Emsisoft, told the BBC.

The UK’s National Cyber Security Centre published an advisory on the breach on Monday, saying it “strongly encourages organisations to take immediate action by following vendor best practice advice and applying the recommended security updates.”

Known to have been active for the last couple of years, Cl0p’s other high-profile attacks include breaches of print management company PaperCut and security company Fortra, which saw the data of 63,000 children compromised.

Read more: Cyclops cybercriminals create info-stealing ransomware

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.