Exclusive: US Banks and Universities Revealed as Initial Victims of MOVEit Mass-Hacks by Ransomware Gangs

Ransomware gang reveals initial victims of MOVEit mass-hacks, which include banks and universities in the United States.

According to researchers, a critical security vulnerability exploited by a ransomware gang has been discovered, dating back as early as 2021.

The ransomware gang, linked to Russia, has taken advantage of the security flaw in MOVEit Transfer, a widely used corporate file transfer tool, since late May. Although Progress Software, the developer of MOVEit, has patched the vulnerability, several customers were compromised before the fix was implemented.

The exact number of victims is still unknown. However, on Wednesday, Clop, the ransomware gang, published the first list of organizations it claims to have hacked by exploiting the MOVEit flaw. The victim list, disclosed on Clop’s dark web leak site, includes financial services organizations 1st Source and First National Bankers Bank, both based in the United States; investment management firm Putnam Investments in Boston; Landal Greenparks in the Netherlands; and energy giant Shell in the United Kingdom.

Although GreenShield Canada, a non-profit benefits carrier, was initially listed on the leak site, it has since been removed.

Other victims mentioned are Datasite, a financial software provider; National Student Clearinghouse, an educational non-profit; United Healthcare Student Resources, a student health insurance provider; Leggett & Platt, an American manufacturer; ÖKK, a Swiss insurance company; and the University System of Georgia (USG).

A spokesperson from USG stated that they are evaluating the extent and severity of the potential data exposure. If necessary, they will issue notifications in compliance with federal and state laws.

Florian Pitzinger, a spokesperson for German mechanical engineering company Heidelberg, which was listed as a victim by Clop, said that the company is aware of its mention on Clop’s Tor website and the incident related to a supplier software. He added that the incident occurred a few weeks ago, was promptly and effectively handled, and did not result in any data breaches based on their analysis.

TechCrunch has yet to receive responses from the other listed victims regarding their questions.

Clop, typically contacting its victims to demand ransom payments for decrypting or deleting stolen files, deviated from its usual approach by not directly contacting the organizations it hacked. Instead, a blackmail message posted on its dark web leak site instructed victims to contact the gang before the June 14 deadline.

At the time of writing, no stolen data has been published, but Clop informs victims that it has downloaded a substantial amount of their data.

New victims emerge as well-known organizations confirm their compromise due to the attacks. These include the BBC, Aer Lingus, and British Airways, which were affected because they rely on Zellis, an HR and payroll software supplier that confirmed the compromise of its MOVEit system.

The Government of Nova Scotia, which employs MOVEit for file sharing, also confirmed its involvement, stating that personal information of some citizens may have been compromised. However, Clop stated on its leak site that they have erased all data from government, city, or police services.

While the full scale of the attacks is still unclear, additional victims continue to disclose their incidents. Johns Hopkins University recently confirmed a cybersecurity breach related to the MOVEit mass-hack. The university mentioned that the data breach may have compromised sensitive personal and financial information, including names, contact details, and health billing records.

Ofcom, the U.K.’s communications regulator, also acknowledged that some confidential information was compromised in the MOVEit mass-hack. The regulator confirmed that the hackers accessed certain data related to the companies it regulates, as well as personal information of 412 Ofcom employees.

Transport for London (TfL), the government body responsible for London’s transportation services, and global consultancy firm Ernst and Young, are also affected, according to BBC News. Both organizations have not responded to TechCrunch’s inquiries.

In the coming days and weeks, more victims are expected to be revealed, as there are still thousands of discoverable MOVEit servers, primarily located in the United States.

Researchers suggest that Clop may have been exploiting the MOVEit vulnerability since 2021. American risk consulting firm Kroll stated in a report that although the vulnerability only became known in late May, their researchers identified activities indicating Clop’s experimentation with exploiting this specific vulnerability for nearly two years.

Clop has also been responsible for previous mass-attacks, exploiting vulnerabilities in Fortra’s GoAnywhere file transfer tool and Accellion’s file transfer application.