Hacker gang Clop publishing names on dark web shows that Black Cat’s tormenting of HWL Ebsworth follows a depressingly predictable pattern

June 18, 2023 |

it is usual practice for hacker gangs to publish names and other data taken from an organisation if a ransom is not paid. Sometimes it is done even without a demand for ransom. It is a malicious act but that is what criminal gangs do. So it is hardly extraordinary that Black Cat has done that with the data stolen from HWL Ebsworth. In that case it has published only a third of the data stolen. That is possibly because Black Cat retains hope that a ransom will be paid for the balance of the documents or that it wants to extend the pain it wants to inflict upon HWL Ebsworth. Another well practised option is to negotiate with organisations and agencies affected by the data breach. Alternatively it could sell the remaining data to interested players. It is impossible to say and Black Cat is not in the business of advertising its moves so it is a matter of wait for the next move. And it will come.

The BBC reports in Hacker gang Clop publishes victim names on dark web on another instance of he odious practice of publishing names on the dark web as a result of a mass hack. It is a slightly different approach, posting names rather than a document drop per se. Publish the names before public disclosure of the stolen data. Clop found a zero day vulnerability on the MOVEit site.  Because MOVEit is a platform designed to transfer data between organisations Clop had access to masses of data stored on MOVEit’s platform which it stole. The data belonged to a number of organsiations and institutions.  Bleeping Computer covers the story well with Clop ransomware gang starts extorting MOVEit data-theft victims

There is a strong similarity between the HWL Ebsworth and the MOVEit data breaches.  In both cases the value to the hackers of the data stolen is that it comes from a range of entities rather than the data belonging to the entity breached.  In HWL Ebsworth’s case Black Cat downloaded data belonging to clients and other entities from 2,000 data sites within the firm’s system.  In MOVEit’s case Clop stole data from its platform.  The intent is the same, using the threat of release of date for payment.  

The BBC article provides:

The names and company profiles of dozens of victims of a global mass hack have been published by a cyber crime gang holding their stolen data to ransom.

On Wednesday, the hacker group Clop began posting names of firms to its website on the darknet.

Twenty six organisations including banks and universities have been added to try to pressure victims into paying.

US federal bodies have also been targeted.

The US Cybersecurity and Infrastructure Security Agency told CNN it “is providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications”.

It is not known which agencies are affected or what data stolen, but cyber authorities say they do not expect it to have significant impact.

The mass hack is likely to have affected hundreds of organisations around the world with around 50 so far confirmed either by the firms themselves or by the hackers.

On the hacker’s so called ‘leak site’ there are companies from the US, Germany, Belgium, Switzerland and Canada.

Oil giant Shell was posted on Wednesday and has since confirmed it is a victim.

The BBC is choosing not to name the other firms.

Ransomware gangs like Clop use their leak sites to “name and shame” victims into paying by posting company profiles. It is a well-trodden and often profitable process.

“Once Clop names companies to its data leak site, the group will start its rounds of negotiations with affected organisations, demanding ransom payments in order to avoid their data being breached, said Chris Morgan, senior cyber threat intelligence analyst at ReliaQuest.

Mr Morgan says the hackers will hope that the victims make contact and set a deadline of how long they have before their data is made public.

Clop has been known to demand ransoms of hundreds of thousands, sometimes millions of dollars but police forces around the world discourage victims from paying as it fuels these criminal gangs.

The MOVEit hack was first disclosed on 31 May when US company Progress Software said hackers had found a way to break into its MOVEit Transfer tool.

MOVEit is software designed to move sensitive files securely and is popular around the world with most of its customers in the US.

Progress Software said it alerted its customers as soon as the hack was discovered and quickly released a downloadable security update.

But the criminals were already able to use their access to get into the databases of potentially hundreds of other companies.

Payroll services provider Zellis, which is based in the UK, was a MOVEit user which was subsequently breached. Zellis has confirmed that eight UK organisations have had data stolen as a result, including home addresses, national insurance numbers and, in some cases, bank details.

Not all firms have had the same data exposed.

The Bleeping Computer article provides:

The Clop ransomware gang has started extorting companies impacted by the MOVEit data theft attacks, first listing the company’s names on a data leak site—an often-employed tactic before public disclosure of stolen information

These entries come after the threat actors exploited a zero-day vulnerability in the MOVEit Transfer secure file transfer platform on May 27th to steal files stored on the server.

The Clop gang took responsibility for the attacks, claiming to have breached “hundreds of companies” and warning that their names would be added to a data leak site on June 14th if negotiations did not occur.

If an extortion demand is not paid, the threat actors say they will begin leaking stolen data on June 21st.

Clop begins extorting companies

Yesterday, the Clop threat actors listed thirteen companies on their data leak site but did not state if they were related to the MOVEit Transfer attacks or were ransomware encryption attacks.

Since then, one of the companies, Greenfield CA, has been removed, indicating the listing was either a mistake or negotiations are taking place.

Five of the listed companies, British multinational oil and gas company Shell, UnitedHealthcare Student Resources (UHSR), the University of Georgia (UGA) and University System of Georgia (USG), Heidelberger Druck, and Landal Greenparks, have since confirmed to BleepingComputer that they were impacted in varying degrees by the MOVEit attacks.

Shell said only a small number of employees and customers were impacted and Landal told BleepingComputer the threat actors accessed the names and contact information for approximately 12,000 guests.

The University System of Georgia, University of Georgia, and UnitedHealthcare Student Resources told BleepingComputer they are still investigating the attack and will disclose any breaches if discovered.

German printing company Heidelberger Druck told BleepingComputer that while they use MOVEit Transfer, their analysis indicates it did not lead to any data breach.

Putnam Investments, who is also listed on Clop’s data leak site, told BleepingComputer they are looking into the matter.

While the other companies listed on Clop’s site have not responded to our emails, Macnica security researcher Yutaka Sejiyama shared data with BleepingComputer confirming that they currently use the MOVEit Transfer platform or have done so in the past.

Already disclosed data breaches

Other organizations who have already disclosed MOVEit Transfer breaches include, Zellis (BBC, Boots, and Aer Lingus, Ireland’s HSE through Zellis), the University of Rochester, the government of Nova Scotia, the US state of Missouri, the US state of IllinoisBORN OntarioOfcamExtreme Networks, and the American Board of Internal Medicine.

In similar attacks in the past using zero-day vulnerabilities in Accellion FTAGoAnywhere MFT, and SolarWinds Serv-U managed file transfer attacks, the threat actors demanded $10 million ransoms to prevent the leaking of data.

BleepingComputer has learned the extortion operation was not very successful in the GoAnywhere extortion attempts, with companies preferring to disclose data breaches rather than pay a ransom.

Today, CNN reported that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) was working with several U.S. federal agencies had also been breached using the MOVEit zero-day vulnerability. Two U.S. Department of Energy (DOE) entities were also compromised, according to Federal News Network.

However, the Clop threat actors previously told BleepingComputer that they automatically deleted any data stolen from the government.

“I want to tell you right away that the military, children’s hospitals, GOV etc like this we no to attack, and their data was erased,” claimed the ransomware operation.

Unfortunately, once data is stolen, there is no way to confirm if data is actually deleted as promised, and should be assumed to be at risk.

Leave a Reply

Verified by MonsterInsights