The Cl0p ransomware gang has yet again changed its extortion strategy within a span of two weeks to put more pressure on victims targeted in the MOVEit hack.
What’s it about?
Starting on May 27, the gang launched a wave of attacks against 597 organizations by exploiting a zero-day vulnerability in the MOVEit secure transfer file platform. Later, on June 14, it began extorting its victims by adding their names to its Tor data leak site.
However, due to some limitations on the Tor sites, the gang has frequently been adopting new strategies to distribute the stolen data from the MOVEit attack.
What's new?
- The instructions on downloading the leaked data from these torrent sites are provided via a new Tor site set up by the gang.
- According to security researcher Dominic Alvieri, torrents have been created for 20 victims, including Aon, K&L Gates, Putnam, Delaware Life, Zurich Brazil, and Heidelberg.
Tor limitations
- As these websites were hosted directly on the internet, it simplified the extortion process for the attackers by creating a sense of urgency among employees, executives, and business partners and pushing organizations to pay a ransom, upon finding their data leaked on the site.
- However, this tactic did not last long as clearweb sites were taken offline by law enforcement without the knowledge of the gang.
How do torrents help?
Torrent sites leave very little chance for law enforcement agencies to seize them.
- Owing to decentralized nature of torrents, the original seeder could be replaced with a new device to seed the stolen data as needed.
- Moreover, unlike the Tor data leak site which has a slow download speed, torrent sites have faster transfer speeds as they use peer-to-peer transfer among different users.
Conclusion
Coveware has predicted that Cl0p is expected to earn revenue between $75 and $100 million only by extorting victims of the MOVEit data theft campaign. Such strategies can help the gang to further pressure victims into paying the ransom demands.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/12ec_shutterstock_687323650.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_309202973.jpg)
