The Clop ransomware gang's large-scale data extortion campaign against MoveIt Transfer customers has proven to be one of the most high-profile cyber campaigns in recent memory. But experts are unsure of how lucrative Clop's campaign has been.
Progress Software on May 31 detailed a critical SQL injection bug, now tracked as CVE-2023-34362, in its managed file transfer (MFT) product MoveIt Transfer. Though the vendor released a patch later that day, security vendors reported soon after that the flaw had already been exploited in the wild. Microsoft in early June published research tying threat activity to an actor dubbed "Lace Tempest," which it said was connected to the Clop ransomware gang.
What followed was a wave of data extortion attacks accomplished via exploitation of the flaw. Dozens of victims have disclosed breaches in the weeks since, including private organizations in the U.K. as well as U.S. federal government agencies.
Many other victim organizations have had their names published to Clop's leak site under threat having their stolen data published, such as oil giant Shell Global. Shell was also previously breached as part of Clop's attacks on Accellion File Transfer Appliance two years ago, which exploited a vulnerability in a similar MFT product.
But despite Clop's MoveIt campaign capturing many big names, and despite its high-profile nature, experts are split on how financially successful the campaign has been for the ransomware gang.
Clop names hundreds of victims
Clop is a ransomware-focused threat actor that first emerged in 2019. It has been tied to a number of major attacks and threat campaigns. Most recently, 91 victims were added to the gang's data extortion leak site in March -- well before the MoveIt campaign began -- because it successfully exploited a zero-day flaw in Fortra's GoAnywhere MFT product.
The number of victims from the MoveIt Transfer attacks appear to be even higher. Emsisoft threat analyst Brett Callow tweeted Tuesday that based on his tracking, there were well over 250 known MoveIt victims, including 23 U.S. schools, and more than 17,000,000 individuals have been impacted. The numbers are in a significant part based on Clop's data leak site, though it should be noted some organizations listed on the site have denied suffering a compromise.
The gang said on its site in early June that it had erased any data connected to government agencies, city services or police departments and that these organizations have no need to contact the ransomware gang.
Regardless of whether this decision was to keep the threat of law enforcement away, the U.S. Department of State offered up to $10 million via a tweet on June 16 for "info linking CL0P Ransomware Gang or any other malicious cyber actors targeting U.S. critical infrastructure to a foreign government."
Callow said that while the MoveIt campaign has "certainly been successful" in terms of scope, he was unclear on how monetarily successful the campaign was. Campaigns driven by exfiltration-only attacks seem to have a lower conversion rate than those involving extortion, he explained.
"That said, the attackers do not necessarily need lots of payments for a campaign to be successful," Callow said. "A single multi-million-dollar payment may be all that they need."
During the disclosure process, some Clop victims have referred to the attacks they suffered as "ransomware," while others solely referred to data theft. All sources TechTarget Editorial spoke with said the discrepancy was almost certainly due to differing definitions regarding whether data theft-only attacks without an encryption component can be considered ransomware. The sources said that to date, Clop's MoveIt Transfer-focused attacks appear to have been opportunistic, data theft-only affairs.
Questionable financial success
Mike Stokkel, threat analyst at NCC Group subsidiary Fox-IT, said that at the time when MoveIt Transfer was confirmed to contain a critical zero-day, "around 2,500 MoveIt appliances were internet reachable and, thus, vulnerable."
"If they have compromised all these MoveIt appliances and stolen all the data stored on these systems, I expect that it will take a few more weeks before all the victims are published," he said. "Going through petabytes of stolen data used for extortion and performing negotiation would take some time."
Bill Siegel, co-founder and CEO of ransomware-focused incident response firm Coveware, said he estimated "very few, if any" victims of the attack have paid based on the firm's tracking of the campaign.
He gave two primary reasons: Data extortion-focused campaigns like this are less disruptive than ransomware campaigns that encrypt systems. And he felt the data stolen from these MFT instances are "generally lower quality from the actor perspective."
"In terms of success, Clop's first campaign against Accellion in 2021 was probably the most successful financially," Siegel wrote in an email. "Since then, the IR [incident response] industry and victims have gotten a lot smarter about the value of paying ransoms for [data theft-only extortion attacks] where a bit of negative PR is really the only worry. Victims of these attacks are not absolved from any of their reporting or notification obligations if they pay a ransom, and there is no way to audit or prove that threat actors delete stolen data or won't use it for future extortion if paid. We have seen over time that these two 'promises' by the threat actors tend to degrade over time."
Still, Siegel called Clop's MoveIt campaign "one of the most sophisticated, mass exploitation campaigns that a ransomware group has carried out." While it has caused "a lot of work" for victims, the attacks have been generally less disruptive than conventional ransomware attacks. This is in line with what CISA Director Jen Easterly said following MoveIt Transfer-focused attacks against U.S. federal agencies.
"The victims of Clop that had their MOVEit instances compromised are just having to deal with the legal/privacy/communications issues," Siegel said in an email to TechTarget Editorial. "Their core operations are fine."
Malwarebytes threat intelligence analyst Marcelo Rivero said that from Clop's perspective, the campaign has achieved "mixed success."
"While they have exploited a previously unknown vulnerability, the campaign's high publicity, subsequent scrutiny, [victims'] swift mitigation efforts, and the generally low quality of stolen data may have compromised [Clop's] objectives," he said.
TechTarget Editorial contacted Clop for comment, but the gang has not responded at press time.
Alexander Culafi is a writer, journalist and podcaster based in Boston.