Russian Clop Criminals Issue Ultimatum After Mass Hack

The Russian hackers behind a mass hack that impacted big name organisations, have issued an ultimatum to their victims.

Last week a mass hack was detected that compromised the MOVEit tool from Progress Software, which is used by businesses to securely transfer sensitive data. This exploit allowed the hackers to compromise a third-party firm called Zellis, which provides payroll services to a number of blue chip British firms including BBC, Boots and British Airways.

The hack resulted in the theft of personal details of more than 100,000 staff across those organisations.

Clop criminals

At the time, Microsoft believes the hackers behind the incident are “Lace Tempest”, the company’s designation for the group that operates the Clop (also written cl0p) ransomware extortion website.

The hackers are believed to be based in Russia and are Russian speaking.

The “Clop team” then confirmed to Reuters that it was behind the hack, saying “it was our attack” and that it would begin trying to extort money from compromised companies in due course, at which time their names would be posted on the Clop site.

Now the Guardian has reported that British Airways, Boots and the BBC have been hit with an ultimatum from Clop to begin ransom negotiations within the next week.

The Guardian reported that the demand had been posted on Clop’s darkweb site, and it essentially orders the victims to get in touch by email by Wednesday 14 June, or face having their stolen data posted online.

The BBC has already said in a notice to staff that data stolen included staff ID numbers, dates of birth, home addresses and national insurance numbers.

British Airways told staff some may have had bank details stolen.

Other organisations thought to be impacted include Aer Lingus, the University of Rochester, and the provincial government of Novia Scotia.

The hackers reportedly claims to have information on “hundreds” of companies. In the post, they are coy about the nature of their attack, describing it merely as “penetration testing service after the fact”, the Guardian reported.

“This is announcement to educate companies who use Progress MOVEit product that chance is that we download a lot of your data as part of exceptional exploit,” the demand reads, according to the Guardian. “We are the only one who perform such attack and relax because your data is safe.”

Negotiate now

The ultimatum contains no explicit sum for businesses to pay, but demands that they enter into negotiations.

The group also claims that it has deleted data that it may have stolen from state actors. “Do not worry, we erased your data you do not need to contact us,” it says. “We have no interest to expose such information.”

Such olive branches are common from professional hacking groups, who want to maximise their income without bringing unnecessary attention from law enforcement.

The threat is an escalation of conventional ransomware attacks and is known as “doxware”.

Rather than simply encrypting data and charging for a key, hackers steal the data directly and threaten to publish it unless the ransom is paid, the Guardian reported.

Ransom payments

Last month research from UK-based security specialist Sophos found that nearly half (46 percent) of organisations hit by ransomware attacks, actually pay the ransom, despite continued advice against paying the cyber criminals.

The Sophos report also found that those organisations paying the cyber criminals, actually end up doubling their recovery costs.

In fact, more than half of businesses with revenue of $500 million or more paid the ransom, with the highest rate reported by those with revenue over $5 billion, Sophos found.

This could partially be due to the fact that larger companies are more likely to have a standalone cyber insurance policy that covers ransom payments.

In February Varonis described a new strain of ransomware that prompts negotiations with their victims, rather than opting for the “naming and shaming” extortion approach commonly adopted by other criminals.