The Clop ransomware gang’s large-scale data extortion campaign against MoveIt Transfer customers has become a high-profile cyber campaign in recent weeks. However, experts are divided on how financially successful this campaign has been for the ransomware gang.
The campaign began when Progress Software disclosed a critical SQL injection bug in its managed file transfer (MFT) product MoveIt Transfer. Although the vendor released a patch, security vendors reported that the flaw had already been exploited in the wild. Microsoft later published research connecting the threat activity to an actor known as “Lace Tempest,” which was linked to the Clop ransomware gang.
Since then, many victims have come forward, disclosing data breaches as a result of the MoveIt Transfer attacks. These victims include private organizations in the U.K. and U.S. federal government agencies. Clop has also published the names of victim organizations on its leak site, threatening to release their stolen data.
Despite the number of high-profile victims, experts remain unsure of the campaign’s financial success. Brett Callow, an Emsisoft threat analyst, noted that there were well over 250 known MoveIt victims based on his tracking. However, it is unclear how much money the ransomware gang has made from this campaign. Campaigns that involve exfiltration-only attacks generally have a lower conversion rate than those involving extortion.
Mike Stokkel, a threat analyst at NCC Group subsidiary Fox-IT, estimated that around 2,500 MoveIt appliances were vulnerable to the zero-day exploit. He believes it will take a few more weeks for all the victims to be published on Clop’s leak site, as going through petabytes of stolen data and negotiating extortion would take time.
Bill Siegel, the CEO of ransomware-focused incident response firm Coveware, said that very few, if any, victims have paid the ransom based on their tracking of the campaign. He attributed this to the fact that data extortion-focused campaigns are less disruptive than encryption-based ransomware attacks. Additionally, the stolen data from these MFT instances is generally of lower quality, which may reduce its value to the ransomware gang.
Siegel noted that Clop’s first campaign against Accellion in 2021 was likely the most financially successful. However, the incident response industry and victims have become more aware of the risks associated with paying ransoms for data theft-only attacks. There is no guarantee that threat actors will delete stolen data or refrain from using it for future extortion if paid.
Marcelo Rivero, a threat intelligence analyst at Malwarebytes, stated that from Clop’s perspective, the campaign has achieved mixed success. While the ransomware gang was able to exploit a previously unknown vulnerability, the high publicity, scrutiny, and low quality of stolen data may have compromised their objectives.
It is important to note that victims of these attacks still have reporting and notification obligations, even if they pay the ransom. The core operations of the victims affected by Clop’s MoveIt campaign remain intact, but they must grapple with legal, privacy, and communication issues.
TechTarget Editorial reached out to Clop for comment, but the gang did not respond at the time of publication. As the campaign continues to unfold, experts will closely monitor the financial implications for both the ransomware gang and the victims affected by the attacks.