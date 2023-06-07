A cyber crime gang suspected to be operating out of Russia has issued a bribery warning to victims of a widespread global hack.

The notorious Clop group, known for its prolific hacking attacks, posted an ultimatum on the dark web stating victims of the ‘MOVEit’ hack must contact them before 14 June to prevent the publication of stolen data.

Businesses such as the BBC, British Airways, and Boots have already been notified their payroll data may have been compromised. Despite the hackers’ demands for a ransom, employers are being advised against agreeing.

Earlier cyber security research had already implicated Clop in the MOVEit hack, which had been announced the previous week.

The group managed to infiltrate the popular business software, MOVEit, and subsequently gained unauthorized access to the databases of potentially hundreds of other companies.

Microsoft analysts later confirmed Clop’s involvement, basing their assessment on the techniques employed during the attack.

In a blog post riddled with broken English, the group took responsibility for the hack and urged organisations to initiate negotiations through their darknet portal via email.

The group’s decision to demand direct contact from victims represents an unusual departure from the typical approach of sending ransom demands via email.

It is suspected the change in tactics may be due to Clop struggling to cope with the scale of the hack, which is still reverberating across the globe.

MOVEit – a file transfer software provided by US-based Progress Software – is widely utilized by businesses to securely exchange files within their systems. One of its users, UK-based payroll services provider Zellis, confirmed data from eight organizations, including sensitive personal information such as home addresses, national insurance numbers, and in some instances, bank details, had been compromised.

But not all firms had the same level of data exposure.

Authorities and experts are advising individuals to remain calm and encouraging organisations to conduct security checks recommended by agencies such as the US Cyber Security and Infrastructure Authority.

On its leak site, Clop claims to have deleted data pertaining to government, city, and police services, assuring victims that they need not contact them.

It said: “This is announcement to educate companies who use Progress MOVEit product that chance is that we download a lot of your data as part of exceptional exploit.”

But Brett Callow, a threat researcher from Emsisoft, told the BBC: “Clop’s claim to have deleted information relating to public sector organisations should be taken with a pinch of salt. If the information has monetary value or could be used for phishing, it's unlikely that they will simply have disposed it.”

Even though Russia denies providing safe haven to ransomware gangs, Clop functions as a “ransomware as a service” group, enabling hackers to rent their tools for attacks from anywhere.

In 2021, alleged members of the Clop gang were apprehended in Ukraine through a joint operation involving Ukraine, the United States, and South Korea.

At the time, authorities claimed to have dismantled the group responsible for extorting $500 million worldwide, but Clop has persisted as an ongoing global threat.