Clop Ransomware Group Exploits MOVEit Vulnerability, Targets Major Law Firms and Corporations
A ransomware attack linked to the Clop cybercrime group has compromised several high-profile organizations, including law firms Kirkland & Ellis, Proskauer Rose, and K&L Gates, as well as entities like Ofcom, EY, PwC, Shell, and Aon. The breach stemmed from a critical SQL injection vulnerability in MOVEit Transfer, a third-party file-transfer software exploited by a hacker operating under the alias "Lance Tempest" a suspected affiliate of Clop.
The attack began in late May, when Clop infiltrated MOVEit’s systems. Though the vendor released a patch shortly after, many organizations failed to apply it in time, leaving them exposed. Clop initially gave victims until June 14 to negotiate via a dark web portal, warning that non-compliance would result in public exposure of their identities. When the deadline passed, the group published the names of over 100 affected organizations, signaling their refusal or inability to engage.
Unlike typical ransomware operations, Clop does not disclose fixed ransom amounts upfront. Instead, victims are directed to contact the group via email before negotiations shift to an encrypted chat on its dark web site. If no agreement is reached within three days, Clop threatens to release stolen data within a week. Cybersecurity firm Cypfer reports that the group’s demands often start at $3 million.
Believed to be Russian-linked, Clop has drawn heightened scrutiny from authorities, with the U.S. government offering a $10 million bounty for information leading to the arrest of its leader. Meanwhile, the targeted law firms have not disclosed details about the compromised data, ransom demands, or their response strategies.
The incident underscores the persistent threat of supply-chain attacks, particularly against law firms frequent targets due to their handling of sensitive client information. Earlier this year, a separate case involving a junior solicitor highlighted internal security risks, as she sued a firm over alleged unauthorized access to her private WhatsApp messages.
Source: https://www.rollonfriday.com/news-content/kirkland-kl-gates-and-proskauer-hit-ransomware-attack
K&L Gates TPRM report: https://www.rankiteo.com/company/k&l-gates
Ofcom TPRM report: https://www.rankiteo.com/company/ofcom
MOVEit TPRM report: https://www.rankiteo.com/company/moveit
Kirkland & Ellis TPRM report: https://www.rankiteo.com/company/kirkland-&-ellis-llp
Proskauer Rose TPRM report: https://www.rankiteo.com/company/proskauer-rose-llp
PwC TPRM report: https://www.rankiteo.com/company/pwc
Aon TPRM report: https://www.rankiteo.com/company/aon
Shell TPRM report: https://www.rankiteo.com/company/shell
"id": "ofck&laonprokirshepwcmov1781843490",
"linkid": "ofcom, k&l-gates, aon, proskauer-rose-llp, kirkland-&-ellis-llp, shell, pwc, moveit",
"type": "Ransomware",
"date": "7/2023",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Legal',
'name': 'Kirkland & Ellis',
'type': 'Law firm'},
{'industry': 'Legal',
'name': 'Proskauer Rose',
'type': 'Law firm'},
{'industry': 'Legal',
'name': 'K&L Gates',
'type': 'Law firm'},
{'industry': 'Telecommunications',
'name': 'Ofcom',
'type': 'Regulatory body'},
{'industry': 'Consulting/Accounting',
'name': 'EY',
'type': 'Professional services'},
{'industry': 'Consulting/Accounting',
'name': 'PwC',
'type': 'Professional services'},
{'industry': 'Energy',
'name': 'Shell',
'type': 'Corporation'},
{'industry': 'Insurance/Professional services',
'name': 'Aon',
'type': 'Corporation'}],
'attack_vector': 'Supply-chain attack (third-party software vulnerability)',
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Sensitive client information'},
'date_detected': 'late May',
'description': 'A ransomware attack linked to the Clop cybercrime group has '
'compromised several high-profile organizations, including law '
'firms Kirkland & Ellis, Proskauer Rose, and K&L Gates, as '
'well as entities like Ofcom, EY, PwC, Shell, and Aon. The '
'breach stemmed from a critical SQL injection vulnerability in '
'MOVEit Transfer, a third-party file-transfer software '
"exploited by a hacker operating under the alias 'Lance "
"Tempest,' a suspected affiliate of Clop.",
'impact': {'brand_reputation_impact': True,
'data_compromised': True,
'identity_theft_risk': True,
'systems_affected': 'MOVEit Transfer file-transfer software'},
'initial_access_broker': {'entry_point': 'MOVEit Transfer vulnerability',
'high_value_targets': 'Law firms and corporations '
'handling sensitive data'},
'lessons_learned': 'The incident underscores the persistent threat of '
'supply-chain attacks, particularly against law firms '
'frequent targets due to their handling of sensitive '
'client information.',
'motivation': 'Financial gain (ransom demands)',
'post_incident_analysis': {'root_causes': 'Failure to apply security patches '
'for MOVEit Transfer vulnerability'},
'ransomware': {'data_exfiltration': True,
'ransom_demanded': 'Starting at $3 million',
'ransomware_strain': 'Clop'},
'references': [{'source': 'Cybersecurity firm Cypfer'},
{'source': 'U.S. government bounty announcement'}],
'threat_actor': 'Clop ransomware group (affiliate: Lance Tempest)',
'title': 'Clop Ransomware Group Exploits MOVEit Vulnerability, Targets Major '
'Law Firms and Corporations',
'type': 'Ransomware',
'vulnerability_exploited': 'SQL injection vulnerability in MOVEit Transfer'}