The US government has announced a $10 million bounty for information that links the Clop ransomware gang or any other threat actors targeting US critical infrastructure to a foreign government. The reward is part of the US State Department's Rewards for Justice (RFJ) program, a government counterterrorism initiative that provides monetary rewards for information leading to the prevention, disruption, or conviction of individuals involved in acts against US interests. The RFJ program has previously targeted other ransomware groups, such as the Conti and REvil gangs.
The Clop ransomware group, also known as Lace Tempest, has recently claimed to have hacked hundreds of companies worldwide by exploiting the MOVEit Transfer vulnerability. MOVEit Transfer is a managed file transfer system used by enterprises to securely transfer files using SFTP, SCP, and HTTP-based uploads. The vulnerability, tracked as CVE-2023-34362, is a SQL injection vulnerability that can be exploited by an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. Microsoft has credited the Clop gang for the campaign that exploits this zero-day vulnerability in the MOVEit Transfer platform.
The ransomware gang published an extortion note on its dark web leak site, stating that it has information on hundreds of businesses. The message reads, “WE HAVE INFORMATION ON HUNDREDS OF COMPANIES SO OUR DISCUSSION WILL WORK VERY SIMPLE.” The gang has urged victim organizations to contact them before their name is added to the list of victims on the leak site, with a deadline of June 14. It is currently unclear how many organizations have been breached by the gang as a result of exploiting the MOVEit Transfer vulnerability.
As of May 31, Rapid7 experts discovered approximately 2,500 instances of MOVEit Transfer publicly accessible on the internet, with a significant portion located in the United States. Rapid7 reported, “Our teams have so far observed the same webshell name in multiple customer environments, which may indicate automated exploitation.” Kroll researchers found that the Clop ransomware gang had been searching for a zero-day exploit in the MOVEit software since 2021.
At the time of writing, the Clop ransomware group has already added 27 companies to the list of victims on its dark web leak site. The group claims to have compromised these companies by exploiting the zero-day CVE-2023-34362. CNN reported that the gang has breached numerous federal agencies, including The Department of Energy. After the report's publication, the group posted a message on its leak site to clarify the theft of data from government agencies reported by some media: “WE GOT A LOT OF EMAILS ABOUT GOVERNMENT DATA, WE DON’T HAVE ANY GOVERNMENT DATA AND ANYTHING DIRECTLY RESIDING ON EXPOSED AND BAD PROTECTED NOT ENCRYPTED FILE TRANSFER WE STILL DO THE POLITE THING AND DELETE ALL. ALL MEDIA SPEAKING ABOUT THIS ARE DO WHAT ALWAYS THEY DO. PROVIDE LITTLE TRUTH IN A BIG LIE. WE ALSO WANT TO REMIND ALL COMPANY THAT IF YOU PUT DATA ON INTERNET WHERE DATA IS NOT PROTECT DO NOT BLAME US FOR PENETRATION TESTING SERVICE. WE ARE ONLY FINANCIAL MOTIVATED AND DO NOT CARE ANYTHING ABOUT POLITICS.“