Sony and PwC Join EY and DoE as Latest Targets in Cl0p Ransomware MOVEit Exploits


June 22, 2023

World map

The Cl0p ransomware gang has claimed attacks on Sony and PwC, just days after asserting that they hit Earnst & Young and the Department of Energy, threatening to leak exfiltrated data if ransom demands are not met.

“Sony, EY and PwC are the latest big businesses to be listed on ransomware gang Cl0p’s dark web blog as the number of victims of a massive cyberattack perpetrated by the group continues to grow,” the TechMonitor reports.

“Cl0p has been exploiting a vulnerability in file transfer platform MOVEit Transfer and demanding ransoms from affected companies. It has named 95 supposed victims of the breach. The attack, which started earlier this month, could turn out to be one of the largest in history, with victims spanning the public and private sectors in the US, UK and beyond.”

Takeaway: Organizations are literally under siege right now by ransomware gangs leveraging vulnerability exploits. The Cl0p ransomware operators continue to exploit a known vulnerability (CVE-2023-34362) in the MOVEit managed file transfer software to compromise numerous high-value targets in rapid succession.

More than 100 organizations have victims have fallen prey to the attacks, including Oregon’s Department of Transportation, the government of Nova Scotia, British Airways, the BBC, Aer Lingus, the Illinois Department of Innovation & Technology, the Minnesota Department of Education, and more.

Companies like Sony, PWC and EY – as well as agencies that govern critical infrastructure like the DoE – ostensibly have very mature security programs. Yet, as evidenced by this spate of attacks, having a robust security program does not make you immune from a successful attack.

No one is immune from the fact that one vulnerability in one piece of software can expose the organization to a disruptive and potentially devastating ransomware attack. Even if an organization is prepared and is able to recover systems after a ransomware attack, they still have to contend with being extorted due to sensitive data being infiltrated.

Cl0p has been extremely active this year in campaigns exploiting vulnerabilities in the GoAnywhere and MOVEit file transfer programs, which is strong evidence that these ransomware operators are using automation to identify exposed organizations.

It is likely they have successfully exfiltrated large amounts of confidential information from the victims, and other targets may be experiencing data loss prior to the detonation of the ransomware payload, and they don't even realize they are in the midst of a major attack.

Whether or not Cl0p has been successful in effectively monetizing these compromises to collect the ransom demands is still unclear.  

While the earlier attacks did not elicit much of a response from the US government aside from some FBI/CISA joint alerts, the prospect that Cl0p has trained its sights on critical infrastructure targets - namely the Department of Energy - should prompt Federal authorities to ramp up their efforts against these operators. is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.