A leading cybersecurity analyst and security researcher claims that the Clop ransomware gang responsible for the MOVEit attacks escalated its threats in the hope that victims would pay.
Dominic Alvieri discovered on July 22 that the Russian ransomware The group created a clearnet domain designed to distribute stolen data from one of its targets, professional services giant Ernst & Young, posting a screenshot of the dotcom website to Twitter.
Ernst & Young, which trades as EY, was notified via Tweets and direct messages from Alvieri, but it is not certain if the firm has responded.
Clop threatened to leak MOVEit data
The analyst and researcher also reached the Bleeding Computerwhich informed the publication that the first target of the ransomware group was the business consulting firm PWC.
In addition to EY and PWC, Bleeding Computer reports that websites were also created for Aon, Kirkland, and TD Ameritrade.
Often, data leaks are hosted on the Tor network thanks to the added anonymity and difficulty associated with how enforcement bodies can remove pages. Instead, Clop threatened to leak the MOVEit breach data to the regular Internet, hence Alvieri’s ‘dotcom’ comment.
Due to the nature of clearnet domains, websites have a higher risk of being removed, which is true in the case of Clop, although it is unclear whether enforcement agencies or hosting providers are responsible for their removal.
Similarly, Bleeding Computer suggesting that cybersecurity companies could have launched their own DDoS attacks in an effort to protect victims.
According to Covewarethe small number of Clop’s estimated 1,000 direct targets who are likely to pay – or have already paid – the ransoms could see the Russian group earn $75-100 million from MOVEit-linked demands alone.
By means of Bleeding Computer