My inevitable “criminals like to move it, move it” joke aside, there’s nothing funny about the MOVEit cybersecurity attacks that started at the end of May. Certainly not if you’re one of the organisations that has been caught up in this tale of zero-day exploits, multiple vulnerabilities and Russian ransomware groups.
It’s not much fun if you happen to be an employee of one of said victims, either. One of my sons works for the BBC and has been informed his personally identifiable information was accessed, and is being held to ransom, by the criminal group known informally as C10p. I shall be referring to them as Clop, because I’m not ten years old.
What, or who, is Clop?
This ransomware group was one of the first to use the double-extortion ransomware strategy of exfiltrating data to be either published or sold to the highest bidder if the ransom wasn’t paid. The clever money suggests that Clop is a sub-group, or at least was spun out of, the TA505 threat group. A group you may remember from the Dridex banking trojan and Locky ransomware. Clop has also been associated with FIN11, another criminal group that emerged from the TA505 collective.
The image is