Companies impacted by a massive ransomware attack, including British Airways, the BBC and Boots, have been given a deadline of June 14 to negotiate for the release of their data or face it being published online. Russian criminal gang Cl0p has taken responsibility for the breach, which saw it initially hit payroll software company Zellis using a vulnerability in the MOVEit Transfer file transfer software. Cl0p claims hundreds of businesses have been exposed in the breach.
Cl0p used the MOVEit Transfer vulnerability to access information on Zellis servers. The company supplies payroll services to a host of big name clients, including BA, the BBC, Boots and a third of the FTSE 100. As a result, records on hundreds of thousands of employees of at least eight businesses that work with Zellis have fallen into the hands of hackers.
MOVEit Transfer vulnerability victims given deadline by Cl0p
Last week security companies flagged a zero-day vulnerability in MOVEit Transfer, owned by Progress Software, which appeared to be under active exploitation. Microsoft security researchers later confirmed the criminals exploiting the loophole were members of Cl0p.
The bug has since been patched, but with over 3,000 internet-facing servers running MOVEit Transfer, many businesses have been exposed. Zellis is one of these, and confirmed on Monday data on some of its customers had been stolen by Cl0p. In addition to BA, the BBC and Boots, Irish airline Aer Lingus, Rochester University and the Government of Nova Scotia have also confirmed that they are among the victims.
In a blog post published today, Cl0p refers to itself as a “penetration testing service” rather than a cybercriminal gang. The post explains that a lot of data from “hundreds” of companies has been exfiltrated through the “exceptional exploit” of the MOVEit Transfer product.
What will Cl0p do next?
Cl0p offers 10% of a victim’s data to prove its validity, as well as two to three files on an individual basis “as proof we are not lying”. Each negotiation period will last three days and the deadline to pay is June 14. If this deadline is missed, the data will be published, the hackers have warned.
The amount of ransom being demanded from each company has not been published.
Though the group maintains it has deleted any data from “government, city or police services”, this is a common tactic of ransomware gangs to try to avoid excessive law enforcement activity. It is very common, however, that data from such institutions is exploited anyway.
“Cl0p’s claim to have deleted information relating to public sector organisations should be taken with a pinch of salt. If the information has monetary value or could be used for phishing, it’s unlikely that they will simply have disposed of it,” Brett Callow, threat researcher from Emsisoft, told the BBC.
The UK’s National Cyber Security Centre published an advisory on the breach on Monday, saying it “strongly encourages organisations to take immediate action by following vendor best practice advice and applying the recommended security updates.”
Known to have been active for the last couple of years, Cl0p’s other high-profile attacks include breaches of print management company PaperCut and security company Fortra, which saw the data of 63,000 children compromised.