A prolific cybercrime gang believed to be based in Russia has issued an ultimatum to victims of a hack that has hit organizations around the world.
The Clop Group has posted a notice on the dark web warning those affected by the MOVEit hack to email them by June 14 or the stolen data will be released.
More than 100,000 BBC, British Airways and Boots staff have been told payroll data may have been taken.
Employers are advised not to pay if the hackers demand a ransom.
Cybersecurity research previously suggested that Clop may be responsible for the hack first reported last week.
The criminals found a way to break into popular enterprise software called MOVEit and were then able to use that access to gain access to the databases of hundreds of other companies.
Microsoft analysts said Monday they believe Clop was to blame, based on the techniques used in the hack.
This has now been confirmed in a lengthy blog post written in broken English.
The message, seen by the BBC, reads: “This is an announcement to inform companies using the Progress MOVEit product that the chance is that we are downloading a large portion of your data as part of an exceptional exploit. “
The post goes on to urge victims’ organizations to email the gang to start a negotiation on the Crew’s darknet portal.
This is an unusual tactic as hackers normally send ransom demands via email to victim organizations, but here they demand that victims get in touch. This could be because Clop himself cannot keep up with the scale of the hack that is still being processed around the world.
MOVEit is provided by Progress Software in the United States for many companies to securely move files around company systems. UK-based payroll service provider Zellis was one of its users.
Zellis confirmed that eight organizations had data stolen from them, including home addresses, national insurance numbers and, in some cases, bank details.
So far, the following people have all said they may have had their data stolen:
Experts advise individuals not to panic and organizations to perform security checks issued by authorities such as the Cyber Security and Infrastructure Authority in the United States.
Clop claims on its leak site that it has deleted all data from government, municipal or police departments.
“Don’t worry, we’ve erased your data, you don’t need to contact us. We have no interest in exposing such information,” it read.
However, researchers say the criminals are not to be trusted.
“Clop’s assertion that information about public sector organizations has been taken down should be taken with a grain of salt. If the information has monetary value or could be used for phishing, they are unlikely to have it. simply eliminated,” said Emsisoft threat researcher Brett Callow.
Cybersecurity experts have long tracked the exploits of Clop, who is believed to be based in Russia as he operates primarily on Russian-speaking forums.
Russia has long been accused of being a haven for ransomware gangs – which it denies.
However, Clop operates as a “ransomware-as-a-service” group, which means hackers can rent their tools to carry out attacks from anywhere.
In 2021, presumed Clop hackers were arrested in Ukraine in a joint operation between Ukraine, the United States and South Korea.
At the time, authorities claimed to have dismantled the group they believe was responsible for extorting $500 million from victims around the world.
But Clop continued to be a persistent threat.