The cyber criminals believed to be behind the MOVEit File Transfer supply chain attack have taken the unusual step of demanding victims contact them first to negotiate extortion payments.
In a broken-English statement published on its deep web blog, Cl0p announced victims have seven days to contact the group to negotiate a payment before their data is posted online.
The approach taken by the group is atypical from most extortion scenarios which usually sees the attackers approach the victims first.
Members of the cyber security industry have speculated that Cl0p, which was blamed for the supply chain attack by Microsoft earlier this week, has ingested too much data for it to identify the company to which it belongs.
ThreatLabz Report: The state of encrypted attacks
What's hiding in your web traffic?
“The attackers have chosen to ask their victims to begin negotiation tactics by reaching out initially but this approach deviates from the norm as typically ransom demands are sent to the targeted organizations with a predetermined amount chosen by the hackers,” said Jake Moore, global cyber security advisor at ESET.
”This decision is likely to stem from the overwhelming magnitude of the ongoing hack which is still affecting large numbers of systems worldwide and potentially overpowering the capabilities of Cl0p itself.”
“Sure looks like they can’t keep up with the scale of the hack,” said Dominic Alvieri, cyber security researcher, in a tweet.
Cl0p gave victims a deadline of 14 June to begin negotiations. Failure to contact the attackers will lead to the publication of stolen data, according to the group’s statement.
The information provided was unclear in places. A final deadline of 14 June was given, but it’s not certain if victims can contact Cl0p on the 14th and still benefit from the three-day negotiation window or not.
Cl0p also stated that victims’ chats will be closed and its data then published after ten days of non-productive talks, adding to the confusion around the true absolute final deadline for victims.
The attackers said data belonging to government, city, or police services has already been erased.
“You do not need to contact us. We have no interest to expose such information,” Cl0p said.
The reason for these exceptions is likely rooted in the social pressure placed on cyber criminal operations to not target organizations with shallow pockets and those that operate essential services such as hospitals.
Regardless, experts have advised to remain cautious since cyber criminals have been known to lie in such statements.
“Cl0p claims to have deleted information relating to public sector organizations but from what we have learnt in the past is that we cannot trust the words of cyber criminals and therefore, anyone who believes their data has been stolen must remain on high alert,” said Moore.
“Although it is never advised to pay ransom demands to cyber criminals, there is an inevitable risk that some of the targeted companies will succumb to the pressure. This will only fuel the fire and continue the cycle of this devastating criminal group.
“It is more important that the companies affected are open and honest with their employees and customers offering support in how to protect themselves and how to spot follow-up phishing and smishing attacks.”
What is the MOVEit cyber attack?
News broke of the exploitation of a zero-day vulnerability in the MOVEit file transfer product, developed by Progress subsidiary Ipswitch, on 31 May.
The application is used by thousands of major organizations across the world, and has already impacted the likes of British Airways, Aer Lingus, the BBC, and UK retailer Boots.
Three ways to evolve your security operations
Why current approaches aren’t working
Experts at the time revealed that their telemetry indicated that other victims may include banks and areas of the US government.
The vulnerability, tracked as CVE-2023-34362, has been added to CISA’s known exploited vulnerabilities list which compels federal agencies to apply available patches expeditiously.
Every version of MOVEit Transfer is thought to be affected by the vulnerability and organizations have been urged to apply the patch released last week.
Microsoft Threat Intelligence attributed the supply chain attack to cyber criminal outfit Cl0p, believed to be operating out of Russia.
Cl0p is known for its namesake ransomware as a service (RaaS) but has notoriously adopted a pure extortion approach this year.
The group is also believed to be behind the attack on Fortra’s GoAnywhere MFT product.
The exploitation of a vulnerability in the software led to successful attacks on more than 130 organizations, by the group’s own calculations.
