Ransomware
gang
Clop,
who
was
responsible
for
a
cyber
attack
on
data
transfer
service
MOVEit,
has
issued
a
threat
to
all
those
affected
by
the
breach.
The
attack
on
MOVEit
directly
led
to
a
data
breach
affecting
payroll
services
provider
Zellis,
as
the
company
uses
MOVEit
as
a
third-party
provider.
This
exposed
the
data
for
over
100,000
employees
from
a
number
of
companies
including
the
British
Broadcasting
Company
(BBC),
health
and
beauty
retailer
Boots
and
UK
airline
British
Airways.
This
data
includes
all
data
employees
will
have
provided
for
payroll
purposes
including
their
names,
home
and
email
addresses,
dates
of
birth,
UK
National
Insurance
number,
bank
details
and
phone
number.
The
threat,
which
was
issued
via
the
dark
web,
tells
the
companies
affected
to
contact
the
ransomware
group
by
June
14
or
their
data
will
be
posted
online.
According
to
the
BBC,
a
victim
of
the
cyber
attack,
the
post
addressed
the
others
affected
by
the
attack:
“This
is
[sic]
announcement
to
educate
companies
who
use
Progress
MOVEit
product
that
chance
is
that
we
download
[sic]
a
lot
of
your
data
as
part
of
[sic]
exceptional
exploit.”
The
post
went
on
to
urge
victims
to
contact
the
gang
via
their
darknet
portal
to
begin
a
negotiation
for
the
release
of
their
or
their
fellow
employee’s
data.
Usually,
ransomware
demands
are
sent
directly
to
victims
rather
than
requesting
victims
get
in
touch.
This
unusual
action
has
prompted
some
speculation
on
why
Clop
would
proceed
in
this
way,
with
Amir
Hadžipasić,
CEO
of
cyber
security
software
company
SOS
Intelligence,
telling
the
BBC
that
he
predicts
that
the
malicious
actors
“just
have
so
much
data
that
it
is
difficult
for
them
to
get
on
top
of
it
all”
and
that
they
are
“betting”
on
victims
contacting
them.
Only
employees
who
work
for
local
or
national
government
or
the
police
services
may
be
safe
from
the
attack,
with
Clop
addressing
them
directly.
The
ransomware
gang
told
these
employees
to
“not
worry”.
They
continued,
saying
“we
erased
your
data
you
do
not
need
to
contact
us.
We
have
no
interest
to
expose
[sic]
such
information”.
The
legitimacy
of
this
statement
has
been
called
into
question,
however.
The
cyber
attack
on
MOVEit
and
Zellis
The
cyber
attack
against
MOVEit
saw
Clop
exploit
of
a
critical
vulnerability
in
MOVEit’s
infrastructure.
This
allowed
the
malicious
actors
to
break
into
multiple
company
networks
and
steal
data.
The
vulnerability
was
flagged
by
security
researchers
and
the
US
government
on
June
1.
The
US
Cybersecurity
and
Infrastructure
Security
Agency
(CISA)
urged
all
MOVEit
clients
to
check
for
indications
that
malicious
actors
had
gained
unauthorized
access
to
their
networks
over
the
past
30
days
and
to
download
and
install
the
software
patch
released
by
MOVEit
to
address
the
issue.
On
June
5,
a
third-party
user
of
MOVEit,
Zellis,
issued
a
statement
to
its
users
that
MOVEit
had
been
the
victim
of
a
cyber
attack.
The
payroll
services
company
explained
that
this
had
lead
to
a
“small
number
of
[its]
customers
[were]
impacted
by
this
global
issue”,
meaning
their
employee
data
had
been
breached.
Once
Zellis
became
aware
of
the
attack,
the
company
disconnected
its
server
that
utilizes
MOVEit
software
and
engaged
an
external
cyber
security
company
to
conduct
a
forensic
investigation
into
the
cyber
attack
and
to
further
monitor
its
systems.
The
Information
Commissioner’s
Office
(ICO),
the
Data
Protection
Commission
(DPC)
and
the
National
Cyber
Security
Center
(NCSC)
in
both
the
UK
and
Ireland
have
also
been
contacted
regarding
the
cyber
security
incident.
Find
out
more
about
the
dangers
of
ransomware
in
our
exclusive
guide
to
malware.
About Author
