MOVEit cyber attack: Cl0p sparks speculation that it’s lost control of hack
The hackers return with their second major data-extortion attack of 2023, but may have bitten off more than they can chew


The cyber criminals believed to be behind the MOVEit File Transfer supply chain attack have taken the unusual step of demanding victims contact them first to negotiate extortion payments.
In a broken-English statement published on its deep web blog, Cl0p announced victims have seven days to contact the group to negotiate a payment before their data is posted online.
The approach taken by the group is atypical from most extortion scenarios which usually sees the attackers approach the victims first.
Members of the cyber security industry have speculated that Cl0p, which was blamed for the supply chain attack by Microsoft earlier this week, has ingested too much data for it to identify the company to which it belongs.
RELATED RESOURCE
ThreatLabz Report: The state of encrypted attacks
What's hiding in your web traffic?
“The attackers have chosen to ask their victims to begin negotiation tactics by reaching out initially but this approach deviates from the norm as typically ransom demands are sent to the targeted organizations with a predetermined amount chosen by the hackers,” said Jake Moore, global cyber security advisor at ESET.
”This decision is likely to stem from the overwhelming magnitude of the ongoing hack which is still affecting large numbers of systems worldwide and potentially overpowering the capabilities of Cl0p itself.”
“Sure looks like they can’t keep up with the scale of the hack,” said Dominic Alvieri, cyber security researcher, in a tweet.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Cl0p gave victims a deadline of 14 June to begin negotiations. Failure to contact the attackers will lead to the publication of stolen data, according to the group’s statement.
The information provided was unclear in places. A final deadline of 14 June was given, but it’s not certain if victims can contact Cl0p on the 14th and still benefit from the three-day negotiation window or not.
Cl0p also stated that victims’ chats will be closed and its data then published after ten days of non-productive talks, adding to the confusion around the true absolute final deadline for victims.
The attackers said data belonging to government, city, or police services has already been erased.
“You do not need to contact us. We have no interest to expose such information,” Cl0p said.
The reason for these exceptions is likely rooted in the social pressure placed on cyber criminal operations to not target organizations with shallow pockets and those that operate essential services such as hospitals.
Regardless, experts have advised to remain cautious since cyber criminals have been known to lie in such statements.
“Cl0p claims to have deleted information relating to public sector organizations but from what we have learnt in the past is that we cannot trust the words of cyber criminals and therefore, anyone who believes their data has been stolen must remain on high alert,” said Moore.
“Although it is never advised to pay ransom demands to cyber criminals, there is an inevitable risk that some of the targeted companies will succumb to the pressure. This will only fuel the fire and continue the cycle of this devastating criminal group.
“It is more important that the companies affected are open and honest with their employees and customers offering support in how to protect themselves and how to spot follow-up phishing and smishing attacks.”
What is the MOVEit cyber attack?
News broke of the exploitation of a zero-day vulnerability in the MOVEit file transfer product, developed by Progress subsidiary Ipswitch, on 31 May.
The application is used by thousands of major organizations across the world, and has already impacted the likes of British Airways, Aer Lingus, the BBC, and UK retailer Boots.
RELATED RESOURCE
Experts at the time revealed that their telemetry indicated that other victims may include banks and areas of the US government.
The vulnerability, tracked as CVE-2023-34362, has been added to CISA’s known exploited vulnerabilities list which compels federal agencies to apply available patches expeditiously.
Every version of MOVEit Transfer is thought to be affected by the vulnerability and organizations have been urged to apply the patch released last week.
Microsoft Threat Intelligence attributed the supply chain attack to cyber criminal outfit Cl0p, believed to be operating out of Russia.
Cl0p is known for its namesake ransomware as a service (RaaS) but has notoriously adopted a pure extortion approach this year.
The group is also believed to be behind the attack on Fortra’s GoAnywhere MFT product.
The exploitation of a vulnerability in the software led to successful attacks on more than 130 organizations, by the group’s own calculations.

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.
-
Acer’s laptop made from oyster shells is now available in the UK
News The Acer Aspire Vero 16 aims to combine performance and sustainability, the company said
-
UK cybersecurity workers are overworked and burning out faster than global counterparts
News Gaps in visibility, poor board communication, and a lack of cyber maturity are leading to high levels of burnout
-
Hackers breached a 158 year old company by guessing an employee password – experts say it’s a ‘pertinent reminder’ of the devastating impact of cyber crime
News A Panorama documentary exposed hackers' techniques and talked to the teams trying to tackle them
-
The ransomware boom shows no signs of letting up – and these groups are causing the most chaos
News Thousands of ransomware cases have already been posted on the dark web this year
-
Everything we know about the Ingram Micro cyber attack so far
News A cyber attack on Ingram Micro severely disrupted operations and has been claimed by the SafePay ransomware group.
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
News The Hunters International ransomware group is rebranding and switching tactics
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackers
News While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker group
News An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabs
News An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs