CL0P ransomware group (of MOVEit) escalates pressure by leaking data to the Clear Web
The ransomware group CL0P has started to post stolen data on websites on the publicly accessible internet, also known as the Clear Web. This tactic is an escalation of CL0P’s approach to extort victims and scare impacted entities into paying a ransom by creating a more easily accessible, publicized leak of data. Ransomware entities like CL0P may also start directly notifying affected persons whose data has been compromised, alerting them to its presence on the Clear Web. However, the fact that these leak sites on the Clear Web are highly vulnerable to being taken down calls into question just how effective this newest ransomware method adopted by CL0P may be.
New ransomware techniques on the Clear Web
Ransomware entities have begun to create websites that publicly show stolen or compromised data. While hosting such content is old news on the Dark Web (a term for hard-to-track World Wide Web content only accessible through specific means and a common location for illegal activity), a newer trend has seen ransomware groups make these sites on the Clear Web.
These sites advertise the data theft in hopes of creating high pressure on the victim to quickly pay the threat actor’s demand. This pressure may reduce an affected company’s ability to stall for time, negotiate better terms, or reduce public awareness.
Who is CL0P?
CL0P is a ransomware group responsible for the ongoing MOVEit breach, which has affected hundreds of entities including British Airways and the Teachers Insurance and Annuity Association of America. It has affected hundreds of entities across the financial, educational, and healthcare sectors.
Recently, CL0P started to create Clear Web sites as part of their ransom arsenal. In late July, CL0P posted information from PricewaterhouseCoopers in connection with the MOVEit breach. (All of CL0P’s Clear Web sites have since been taken down and are no longer accessible.)
What does this mean for companies?
Companies suffering from a ransomware attack often refuse to pay the ransom if they can recover most of their stolen data (for example, through adequate backups). Most companies will then shore up their cybersecurity with legal and forensic teams to minimize the financial and public impact of a ransomware attack – leaving the threat actor with nothing to show for their efforts.
Clear Web postings of compromised data are a new tactic intended to increase pressure on an entity through enhanced visibility. By posting alleged proof of a hack, it may be harder for a company to manage the impact of an incident. Entities must weigh reputational harm and the impact to customer and business partner trust – with threat actors hoping these pressures encourage payment.
However, Clear Web posts are high-risk for questionable returns for hackers. The public nature of the Clear Web makes the sites created highly vulnerable to being detected and subject to a variety of responses, including website seizures, takedown by hosts or registrars, DDoS attacks, and other actions.
For example, when CL0P targeted and posted data on the Clear Web of several major companies that have substantial IT and legal resources, every CL0P site was taken down within a matter of days. CL0P’s brazen efforts have also led the U.S. Department of State to place a $10 million bounty on the group.
If you have questions about your company’s vulnerability to a ransomware attack or other breach, or if you want to learn more about proactive cybersecurity defense, contact a member of McDonald Hopkin’s national cybersecurity and data privacy team.