A Russian cyber gang is threatening to publish the payroll data of 100,000 people

Its victims include employees of British Airways, BBC, and the University of Rochester
Russia is the home of cyber criminals.
Russia is the home of cyber criminals.
Illustration: Kacper Pempel (Reuters)
We may earn a commission from links on this page.

A cybergang believed to be based in Russia has demanded ransom from some 100,000 victims of a hack it orchestrated recently.

However, the group, called Clop, hasn’t specified the amount it wants.

“This is announcement to educate companies who use Progress MOVEit product...If we do not hear from you until June 14 2023 we will post your name on this page… cal today before your company name is publish here,” Clop’s message posted on the dark web said, according to The Telegraph.

MOVEit is a business software owned by US-based Progress Software. It helps firms share files via their intranets. Clop has now penetrated it to access databases, including banking records, of several companies.

UK-based payroll services provider Zellis is a MOVEit user. Without disclosing names, Zellis acknowledged that criminals had accessed the details of eight such organizations. MOVEit was also running Microsoft’s Windows server applications which had a security flaw that Clop exploited to hack into Zellis.

The hacking group wants the people it has targeted to email it before June 14, failing which it will publish their payroll information. The victims include employees of British Airways, the BBC, the University of Rochester, Boots, Aer Lingus, and the provincial government of Canada’s Nova Scotia.

Clop wants to monetize stolen data

The Clop group wants to monetize the data in its hands and companies should avoid falling into its trap by sending them emails, according to Ciaran Martin, a cyber security expert who helped set up UK’s National Cyber Security Center.

“ does leave those affected more susceptible to sophisticated identity fraud, so they might try to develop techniques for scamming and so forth,” Martin told BBC Radio 4. Emails sent to hackers let them launch phishing or denial-of-service attacks, according to cyber experts.

Clop has been active since February 2019 and operates as a “ransomware-as-a-service” group. Dark web actors hire its services or use its software to carry out attacks. The Russian group typically targets organizations with a minimum annual revenue of $5 million, according to Health IT Security.

Clop has attacked 230 organizations so far

The Clop group is the successor of the CryptoMix ransomware, which was also developed in Russia. Six Clop hackers with a tendency to attack US universities were arrested in Ukraine in 2021 in a joint operation between Ukraine, the US, and South Korea. At the time, the gang had laundered $500 million in ransomware payments. Cybersecurity researchers estimate that Clop has successfully attacked at least 230 organizations till now.

Russia is notorious for harboring prolific hacking groups, although the country vehemently denies this. In April, another such gang, KillNet, attacked Europe’s air-traffic control agency, the European Organization for the Safety of Air Navigation, paralyzing air traffic employee operations. A 2022 Chainalysis report also showed that 74% of all money made through crypto-ransomware attacks went to Russia-linked hackers.