MOVEit Hack Could Earn Cybercriminals $100M as Number of Confirmed Victims Grows

Ransomware recovery company Coveware believes the Cl0p ransomware gang could earn as much as $100 million from the MOVEit hack, which has impacted hundreds of organizations.

In a ransomware monetization report published on Friday, Coveware said the percentage of victims that paid a ransom in the second quarter of 2023 fell to a record low of 34%. 

The company noted that the chances of cybercriminals getting paid in the case of attacks that only involve data theft without the deployment of file-encrypting ransomware — such as in the case of the MOVEit hack — the probability of a ransom being paid by the victim is less than 50%, but the ransom amount has been typically higher. 

“While the MOVEit campaign may end up impacting over 1,000 companies directly, and an order of magnitude more indirectly, a very very small percentage of victims bothered trying to negotiate, let alone contemplated paying. Those that did pay, paid substantially more than prior Cl0p campaigns, and several times more than the global Average Ransom Amount of $740,144,” Coveware said.

“It is likely that the Cl0p group may earn $75-100 million dollars just from the MOVEit campaign, with that sum coming from just a small handful of victims that succumbed to very high ransom payments,” it added. 

In the meantime, the Cl0p group has been trying new tactics to get MOVEit victims to pay up, including by setting up dedicated surface web sites for some of the major targets, such as accounting giants EY and PwC. 

This tactic, which involves posting some of the stolen data for everyone to see, has been used by other groups as well, such as the Alphv/BlackCat gang. 

Anti-malware firm Emsisoft has been tracking the MOVEit hack and it’s currently aware of nearly 400 victims, including organizations that were hit directly and ones that were indirectly impacted. 

For instance, UK-based payroll and HR company Zellis was hit directly and major companies using Zellis services, such as the BBC and British Airways, were impacted indirectly.  

Another example is PBI, which provides research services for the pension, insurance and financial sectors. It appears that several organizations and millions of people had their information compromised through the PBI MOVEit hack, according to data collected by DataBreaches.net. 

Based on data from state breach notifications, SEC filings and other public disclosures, Emsisoft believes there are more than 20 million affected individuals. However, Emsisoft’s Brett Callow noted that this number comes from only 66 disclosures, with many victims yet to disclose the number of impacted people.

The MOVEit attack involved exploitation of a zero-day vulnerability that gave cybercriminals access to data transferred by organizations through the managed file transfer solution.

Bitsight reported last week that many organizations quickly addressed the zero-day and other recently discovered MOVEit vulnerabilities, which is not surprising given their notoriety. 

Related: MOVEit: Testing the Limits of Supply Chain Security

Related: After Zero-Day Attacks, MOVEit Turns to Security Service Packs