Connect with us

Hi, what are you looking for?



Ransomware Group Starts Naming Victims of MOVEit Zero-Day Attacks

The Cl0p ransomware gang has listed more than two dozen victims of the MOVEit zero-day attack on its leak website.

The Cl0p ransomware group has made public the names of more than two dozen organizations that appear to have been targeted in a campaign leveraging a zero-day vulnerability in the MOVEit managed file transfer (MFT) software. 

The cybercrime gang exploited a MOVEit Transfer vulnerability tracked as CVE-2023-34362 to steal data from organizations that had been using the product. Some evidence suggests that the hackers have been testing the flaw since 2021, but mass exploitation seems to have started in late May 2023.

The attacks were quickly linked to the Cl0p group, which had previously exploited a zero-day in the GoAnywhere MFT product to steal data from many organizations. The cybercriminals have confirmed being behind the MOVEit zero-day campaign and they gave victims until June 14 to get in touch in order to prevent data stolen from their systems from getting leaked. They claim to have hit hundreds of entities. 

More than two dozen organizations have been named on the Cl0p leak website after the June 14 deadline, and they are presumably the MOVEit attack victims that decided not to contact the cybercriminals — the hackers do not clearly state that they are MOVEit victims.

The list includes energy giant Shell, as well as various organizations in the financial, healthcare, manufacturing, IT, pharmaceutical, and education sectors. A majority of the victims are banks and other financial institutions located in the United States, followed by healthcare organizations. When the breach came to light, the hackers said they would not target healthcare facilities for children. 

For the time being, the ransomware group does not appear to have leaked any data from these organizations. 

The first victims to come forward included UK-based payroll and HR company Zellis (its customers British Airways, Aer Lingus, the BBC, and Boots were also hit), the Canadian province of Nova Scotia, the University of Rochester, the Illinois Department of Innovation & Technology (DoIT), and the Minnesota Department of Education (MDE).

The list of organizations that have confirmed being hit continues to grow. Johns Hopkins University and Johns Hopkins Health System, UK media watchdog Ofcom, and a Missouri state agency have issued statements related to the incident in recent days. 

Advertisement. Scroll to continue reading.

CNN reported on Thursday that several US federal government agencies were also hit, according to Eric Goldstein, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA). The list includes the Department of Energy, which has taken steps to mitigate the impact of the hack.

The cybercriminals claim they are only trying to get a ransom from businesses and that all the government data they have obtained has been deleted. 

In the meantime, MOVEit developer Progress Software has informed customers about another new vulnerability, one that “could lead to escalated privileges and potential unauthorized access to the environment”. The vendor has released patches, but a CVE identifier has yet to be assigned. 

“We took HTTPs traffic down for MOVEit Cloud in light of the newly published vulnerability and asked all MOVEit Transfer customers to take down their HTTP and HTTPs traffic to safeguard their environments while a patch was created and tested,” Progress explained in an advisory.

This comes less than a week after Progress announced the release of patches for CVE-2023-35036, new SQL injection vulnerabilities discovered by researchers during the analysis of the zero-day flaw. 

The newer vulnerabilities do not seem to have been exploited in the wild. 

Related: Barracuda Zero-Day Attacks Attributed to Chinese Cyberespionage Group

Related: Chinese Cyberspies Caught Exploiting VMware ESXi Zero-Day

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.


US payments giant NCR has confirmed being targeted in a ransomware attack for which the BlackCat/Alphv group has taken credit.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.