By Tony O’Reilly-
A suspected Russian cyber crime gang has issued an ultimatum to victims of a hack that has hit organisations around the world.
The Clop group posted a notice on the dark web warning those affected by the MOVEit hack to email them before 14 June or stolen data will be published.
More than 100,000 staff at the BBC, British Airways and Boots have been told payroll data may have been taken.
Employers are being urged not to pay up if the hackers demand a ransom.
The suspected Russian group Clop, which claimed responsibility for the attack, issued the notice on the dark web to victims of the MOVEit software hack.
Personal data of more than 100,000 employees was accessed in the attack, including bank and contact details.
In a dark web blog post, Clop told victims to email and negotiate with the group by 14 June, the BBC reported.
The BBC itself was impacted by the attack, as was airline Aer Lingus.
Clop has reportedly claimed it has deleted any data from government, city or police services, saying: “Do not worry, we erased your data you do not need to contact us. We have no interest to expose such information.
Cyber security research previously suggested Clop could be responsible for the hack which was first announced last week.
he hacker group claims to have information on “hundreds” of companies. In the post, they are coy about the nature of their attack, describing it merely as “penetration testing service after the fact”.
“This is announcement to educate companies who use Progress MOVEit product that chance is that we download a lot of your data as part of exceptional exploit,” the demand reads. “We are the only one who perform such attack and relax because your data is safe.”
The criminals found a way to break into a piece of popular business software called MOVEit and were then able to use that access to get into the databases of potentially hundreds of other companies.
The post, seen by the BBC, reads: “This is announcement to educate companies who use Progress MOVEit product that chance is that we download a lot of your data as part of exceptional exploit.”
The post goes on to urge victim organisations to send an email to the gang to begin a negotiation on the crew’s darknet portal.
This is an unusual tactic as normally ransom demands are emailed to victim organisations by the hackers, but here they are demanding that victims get in touch. This could be because Clop itself can’t keep up with the scale of the hack which is still being processed around the world.
MOVEit is supplied by Progress Software in the US for many businesses to securely move files around company systems. Payroll services provider Zellis, which is based in the UK, was one of its users.
Zellis has confirmed that eight organisations have had data stolen as a result, including home addresses, national insurance numbers and, in some cases, bank details. Not all firms have had the same data exposed.
Payroll software company Zellis – which used the MOVEit software that resulted in BA, BBC and Aer Lingus staff having their data accessed – said eight of its customers were hit but did not name them.
Other Zellis customers include Jaguar Land Rover, Harrods and Dyson.
A weak link in MOVEit code – a so-called zero day vulnerability – enabled hackers to access its servers and the personal and financial data of employees.
The motivation of the group which claimed responsibility in an email to Reuters news agency on Monday remain unclear
Individuals not to panic, and for organisations to carry out security checks issued by authorities like the Cyber Security and Infrastructure Authority in the US.
Clop claims on its leak site that it has deleted any data from government, city or police services.
“Do not worry, we erased your data you do not need to contact us. We have no interest to expose such information,” it reads.
However, researchers say the criminals are not to be trusted.
“Clop’s claim to have deleted information relating to public sector organisations should be taken with a pinch of salt. If the information has monetary value or could be used for phishing, it’s unlikely that they will simply have disposed it,” said Brett Callow, threat researcher from Emsisoft.
Cyber security experts have long tracked the exploits of Clop, which is thought to be based in Russia as it mainly operates on Russian speaking forums.
Russia has long been accused of being a safe haven to ransomware gangs – which it denies.
However, Clop runs as a “ransomware as a service” group, which means hackers can rent their tools to carry out attacks from anywhere.