Recent data extortion attacks that exploited a critical vulnerability in the MOVEit file transfer tool are likely to result in a payday as high as $100 million for the cybercriminal group Clop, according to findings from incident response firm Coveware.
Clop, a Russian-speaking group, has claimed that if a victim company pays its demand, the group would not leak the victim’s stolen data on its darkweb site.
In a post Friday, Coveware suggested that the vast majority of victims impacted in the MOVEit campaign will refuse to pay Clop’s demands.
However, for the victim organizations that do pay, the extortion payment amounts could be substantial, according to the Coveware findings. The company estimated that Clop will receive between $75 million and $100 million in the attacks, which are believed to have begun in late May.
“This is a dangerous and staggering sum of money for one, relatively small group to possess,” Coveware said in its report. The MOVEit campaign windfall derives from “just a small handful of victims that succumbed to very high ransom payments,” the company said.
Managed file transfer tools, such as Progress’ MOVEit Transfer, enable the ingestion of large volumes of data that can then be moved from point to point, making them an appealing target for data thieves.
The widely exploited critical vulnerability in MOVEit (tracked at CVE-2023-34362) was reported by Progress on May 31. There are now at least 383 known victims of the MOVEit attacks, with more than 20 million individuals impacted, according to tallies by Emsisoft threat analyst Brett Callow.
Coveware estimated that more than 1,000 companies may end up being directly impacted by the MOVEit attacks, though a “very small percentage of victims bothered trying to negotiate, let alone contemplated paying.” However, for the few victims that did pay Clop, they’ve paid well above the standard ransom amount, according to the findings.
In Clop’s previous attack campaigns, such as the GoAnywhere attacks from earlier this year, the cybercrime group found few companies willing to pay an extortion demand to prevent a data leak, according to Coveware.
In response, Clop “made a material shift in the MOVEit campaign, and dramatically increased the average demand it made of victims,” Coveware said.
The Insurance Factor?
One reason that companies may be less likely to pay a threat actor’s demands in an extortion-only attack — versus in a standard ransomware attack that encrypts files — is due to cyber insurance, Sophos Field CTO Chester Wisniewski told CRN previously.
While an insurance company may pay a ransom to get file decryption keys, “they won’t pay an extortion fee,” Wisniewski said. “The conventional wisdom of insurers has been, ‘I’m buying encryption keys that are going to let me get this customer online faster, and that reduces my cost of the incident.’ They think they’re getting value.”
But if an attacker demands a payment from a victim solely in exchange for not releasing its data online, that’s likely not something an insurer is going to cover, Wisniewski said.
“They’re not paying for hiding [a breach] from the GDPR regulators,” he said.
Data extortion-only attacks are not as difficult for threat actors to accomplish, compared to ransomware attacks that involve encryption, Coveware noted in its report. But attacks that only involve data theft and extortion are also not as disruptive, which is a key reason for the lower likelihood that a victim will pay, the company said.
Data extortion-only attacks “do not cause material business disruption like encryption impact but can cause brand damage and create notice obligations,” Coveware said.