MoveIT Exploits Could Earn Cl0p $100 Million as Victims Approach 400


July 24, 2023

World map

Researchers assess that while the likelihood is less than 50% that a victim will pay a ransom demand in attacks where data is exfiltrated for extortion, but no ransomware is deployed – as with the latest spree of MoveIT exploits by the Cl0p gang - the ransom amounts have been typically much higher.

“While the MOVEit campaign may end up impacting over 1,000 companies directly, and an order of magnitude more indirectly, a very very small percentage of victims bothered trying to negotiate, let alone contemplated paying. Those that did pay paid substantially more than prior Cl0p campaigns, and several times more than the global Average Ransom Amount of $740,144,” reports Security Week.

“It is likely that the Cl0p group may earn $75-100 million dollars just from the MOVEit campaign, with that sum coming from just a small handful of victims that succumbed to very high ransom payments.”

Takeaway: Cl0p ransomware operators have been actively exploiting a vulnerability in Progress Software’s MOVEit file transfer app for several weeks in what have been predominantly straight data-extortion attacks, where no ransomware payload is deployed.

The Russian-linked ransomware gang leveraged the patchable vulnerability in the MOVEit file transfer software to compromise hundreds of victims, including the US Department of Energy, according to reports.

The mass exploitation of the MOVEit file transfer vulnerability by the Cl0p ransomware gang closely follows their success earlier this year in conducting the mass compromise of more than 100 organizations leveraging a vulnerability in another file transfer program called GoAnywhere.

While there have reportedly been many targets of these campaigns, it remained unclear whether Cl0p was able to successfully monetize the large number of networks compromised until this research was published.

And while the earlier attacks did not elicit much of a response from the US government aside from some FBI/CISA joint alerts, the prospect that Cl0p has trained its sights on critical infrastructure targets - namely the Department of Energy - will certainly prompt Federal authorities to ramp up their efforts against these operators.

Cl0p is likely to be leveraging automation to identify exposed organizations who have not patched against known vulnerability, which is why we are seeing so many new victims.

While these data-extortion-only attacks don’t compel as many victims to pay, those that do are paying more. This may work to Cl0p’s advantage, as straight data-extortion attacks are arguably much less complicated to carry out and likely highly automated, which means Cl0p’s strategy may be to simply ramp up the volume of attacks to make up the deficit in ransoms collected.

Cl0p was not the first group to opt for ransomware-less-extortion attacks – groups like KaraKurt and RansomHouse have practiced this model for some time, with groups like BianLian following suit – but Cl0p appears to have perfected the mass exploitation via automation aspect, potentially making the tactic highly profitable.

Again, we assess that it is unlikely that all or most ransomware operators will abandon the ransomware payload and opt for straight data-extortion attacks, we will likely see certain groups favor the approach if they can operationalize them as successfully as Cl0p has thus far.

Progress (the vendor who produces the MOVEit software) has issued updated advice on mitigating this vulnerability, which includes a new patch for additional vulnerabilities that could be exploited. MOVEit customers should apply the latest vulnerabilities fixes, as described in the MOVEit Transfer Knowledge Base Article (Updated 15th June). is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.