Clop using clearweb to publish MOVEit data

Data is freely available for all to view

Clop using clearweb to publish MOVEit data

The Clop ransomware gang has started creating publicly accessible websites to leak the data it stole in the recent MOVEit Transfer data theft attacks.

Citing security researcher Dominic Alvieri, BleepingComputer reports that Clop created its initial clearweb site for data stolen from business consulting firm PWC. It used that site to publish the company's information through four spanned ZIP archives.

Since then the group has proceeded to create websites for Aon, EY, Kirkland and TD Ameritrade.

Last year, the ALPHV ransomware gang, also known as BlackCat, starting using a new extortion tactic involving the creation of clearweb websites, which are accessible through the public-facing internet and specifically target individual victims.

The shift in ALPHV's approach involved leaking stolen data and putting additional pressure on the victims to comply with ransom demands.

Ransomware data leak sites are commonly hosted on the Tor network, due to the higher difficulty in taking them down or seizing the operators' infrastructure. Tor's anonymity helps ransomware operators evade detection and maintain their operations more effectively.

However, this hosting method also brings its own set of challenges and issues.

Tor restricts access for users who are not familiar with it or don't have the necessary tools to access websites on the dark web; accessing sites on Tor requires a specialised Tor browser. In addition, dark web content is not indexed by search engines, and download speeds are often slow.

A clearweb website, on the other hand, is directly hosted on the public internet. Consequently, data leaked on these sites is likely to be indexed by search engines, amplifying its spread.

As reported by BleepingComputer, Clop's clearweb sites for leaking MOVEit victim's data lack the sophistication seen in those created by ALPHV.

At the time of writing, all of Clop's identified clearweb extortion sites have been taken offline, though the reason remain uncertain.

Clop gang earnings

According to a recent report from Coveware, Clop is projected to make a substantial profit of between $75 million and $100 million from the MOVEit campaign.

Clop launched the MOVEit hack in May, taking advantage of a zero-day vulnerability in the MOVEit Transfer secure file transfer platform.

The impact has been significant, affecting hundreds of companies globally, as well as some government organisations.

Coveware estimates that only a limited number of victims will comply with Clop's ransom demands. As a result, the gang has adapted its extortion strategy and is demanding significantly higher ransoms compared to previous data exfiltration attacks.

Coveware CEO Bill Siegel highlighted that Clop's success in the MOVEit attacks far surpasses its recent GoAnywhere data theft attacks. In the GoAnywhere campaign, Clop managed to breach only 130 victims and received minimal ransom payments.

In response to the severity of the Clop ransomware attacks, the US State Department last month announced a $10 million bounty for any information that could link the attacks to a foreign government.

Interestingly, the Clop gang has stated on its website that it would delete any data obtained from government agencies - although it is a criminal gang, so take that with a pinch of salt.