British Airways, Boots and the BBC have been hit with an ultimatum from the Russian-speaking cybercrime group Clop to begin ransom negotiations after it stole personal details of more than 100,000 staff across the organisations.
The demand, posted on Clop’s dark web site, commands the affected companies to email the group by 14 June, or face having their stolen data posted online, which it is feared includes names, addresses, national insurance numbers and bank details.
Clop exploited a piece of business infrastructure called MOVEit, software used to securely transfer files around internal networks, to attack the organisations. The same vulnerability provided an entry point into multiple victims in a single mass hack.
Six organisations have confirmed to being affected, with Aer Lingus and the University of Rochester also admitting they have been hit. Many of the organisations are not direct users of the MOVEit software, but outsourced their payroll services to a third-party called Zellis, which was also hit.
The hacker group claims to have information on “hundreds” of companies. In the post, they are coy about the nature of their attack, describing it merely as “penetration testing service after the fact”.
“This is announcement to educate companies who use Progress MOVEit product that chance is that we download a lot of your data as part of exceptional exploit,” the demand reads.
“We are the only one who perform such attack and relax because your data is safe.”
The ultimatum contains no explicit sum for businesses to pay, but demands that they enter into negotiations.
The group also claims that it has deleted data that it may have stolen from state actors.
“Do not worry, we erased your data you do not need to contact us,” it says. “We have no interest to expose such information.”
Such olive branches are common from professional hacking groups, who want to maximise their income without bringing unnecessary attention from law enforcement.
The threat is an escalation of conventional ransomware attacks and is known as “doxware”. Rather than simply encrypting data and charging for a key, hackers steal the data directly and threaten to publish it unless the ransom is paid.
While more technically challenging for the hackers, doxware prevents businesses from simply restoring their data from backups and ignoring ransom demands. (Guardian)