Russia-Linked Hackers Give Victims a Week to Open Ransom Negotiations

A Russian-speaking criminal cyber gang gave victims including British Airways and the BBC a week to start ransom negotiations after it exploited a vulnerability in an encrypted file-sharing software used by many high-profile firms.

(Bloomberg) — A Russian-speaking criminal cyber gang gave victims including British Airways and the BBC a week to start ransom negotiations after it exploited a vulnerability in an encrypted file-sharing software used by many high-profile firms. 

The hacker group, known as Clop, said companies that use the secure file transfer product MOVEit from Progress Software Corp. should email it before June 14 or else it would publish stolen data, according to a statement on the gang’s darkweb page. 

“This is announcement to educate companies who use Progress MOVEit product that chance is that we download a lot of your data as part of exceptional exploit,” the gang said. “We have information on hundreds of companies so our discussion will work very simple.”

Clop has been one of the most prolific cyber criminal gangs in recent years, extorting hundreds of millions of dollars from its victims, according the cybersecurity firm Trend Micro Inc. Hackers affiliated with the group have used ultimatums that threaten to publish data in the past to extract ransoms. 

Read More: Hacking Spree Feared After Breach of File-Sharing Software

While Clop did not name specific targets, several companies and organizations have said in recent days that they believe they have been affected by the breach, including the BBC, British Airways, the UK pharmacy chain Boots, Aer Lingus, the government of Nova Scotia and the University of Rochester.

The flaw in the file-sharing software has prompted security alerts in recent days from the US Department of Homeland Security, the UK National Cyber Security Centre, Microsoft Corp. and Mandiant, a subsidiary of Alphabet Inc.’s Google Cloud. 

On Sunday, Microsoft’s threat intelligence team linked the attacks to Clop. A representative for the hackers in an email to Bloomberg News on Monday declined to say how many companies were breached and warned that it would publish data on its blog of those that didn’t pay. It wasn’t possible to verify the representative’s identity.

Clop is the name of a ransomware variant that has been deployed against companies and organizations around the world, and it also sometimes refers to the hacking gang that uses it.  

In March, the gang targeted the UK’s Pension Protection Fund after exploiting a third-party data transfer service called GoAnywhere. In August last year, the group claimed responsibility for an attack on South Staffordshire Plc, the parent company of South Staffs Water and Cambridge Water, which together supply more than 1.5 million people with drinking water in parts of England.

–With assistance from William Turton.

More stories like this are available on bloomberg.com

©2023 Bloomberg L.P.