Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Data Breaches

MOVEit Hack Could Earn Cybercriminals $100M as Number of Confirmed Victims Grows

Experts believe the Cl0p ransomware gang could earn as much as $100 million from the MOVEit hack, with the number of confirmed victims approaching 400.

Ransomware recovery company Coveware believes the Cl0p ransomware gang could earn as much as $100 million from the MOVEit hack, which has impacted hundreds of organizations.

In a ransomware monetization report published on Friday, Coveware said the percentage of victims that paid a ransom in the second quarter of 2023 fell to a record low of 34%. 

The company noted that the chances of cybercriminals getting paid in the case of attacks that only involve data theft without the deployment of file-encrypting ransomware — such as in the case of the MOVEit hack — the probability of a ransom being paid by the victim is less than 50%, but the ransom amount has been typically higher. 

“While the MOVEit campaign may end up impacting over 1,000 companies directly, and an order of magnitude more indirectly, a very very small percentage of victims bothered trying to negotiate, let alone contemplated paying. Those that did pay, paid substantially more than prior Cl0p campaigns, and several times more than the global Average Ransom Amount of $740,144,” Coveware said.

“It is likely that the Cl0p group may earn $75-100 million dollars just from the MOVEit campaign, with that sum coming from just a small handful of victims that succumbed to very high ransom payments,” it added. 

In the meantime, the Cl0p group has been trying new tactics to get MOVEit victims to pay up, including by setting up dedicated surface web sites for some of the major targets, such as accounting giants EY and PwC

This tactic, which involves posting some of the stolen data for everyone to see, has been used by other groups as well, such as the Alphv/BlackCat gang

Anti-malware firm Emsisoft has been tracking the MOVEit hack and it’s currently aware of nearly 400 victims, including organizations that were hit directly and ones that were indirectly impacted. 

Advertisement. Scroll to continue reading.

For instance, UK-based payroll and HR company Zellis was hit directly and major companies using Zellis services, such as the BBC and British Airways, were impacted indirectly.  

Another example is PBI, which provides research services for the pension, insurance and financial sectors. It appears that several organizations and millions of people had their information compromised through the PBI MOVEit hack, according to data collected by

Based on data from state breach notifications, SEC filings and other public disclosures, Emsisoft believes there are more than 20 million affected individuals. However, Emsisoft’s Brett Callow noted that this number comes from only 66 disclosures, with many victims yet to disclose the number of impacted people.

The MOVEit attack involved exploitation of a zero-day vulnerability that gave cybercriminals access to data transferred by organizations through the managed file transfer solution.

Bitsight reported last week that many organizations quickly addressed the zero-day and other recently discovered MOVEit vulnerabilities, which is not surprising given their notoriety. 

Related: MOVEit: Testing the Limits of Supply Chain Security

Related: After Zero-Day Attacks, MOVEit Turns to Security Service Packs

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Fastly announced that Scott Lovett will join the company as Chief Revenue Officer, effective June 3, 2024.

Digital transformation consulting firm Synechron has hired Aaron Momin as CISO.

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

More People On The Move

Expert Insights