{ "id": "fe1e2777-9d54-4438-8733-e77783b1a0cc", "created_at": "2026-04-06T00:12:47.036802Z", "updated_at": "2026-04-10T03:29:40.101309Z", "deleted_at": null, "sha1_hash": "2fb54a41327954ed1ac289f40bb482052ffa1792", "title": "Clop now leaks data stolen in MOVEit attacks on clearweb sites", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1181754, "plain_text": "Clop now leaks data stolen in MOVEit attacks on clearweb sites\r\nBy Lawrence Abrams\r\nPublished: 2023-07-23 · Archived: 2026-04-05 13:33:46 UTC\r\nThe Clop ransomware gang is copying an ALPHV ransomware gang extortion tactic by creating Internet-accessible websites\r\ndedicated to specific victims, making it easier to leak stolen data and further pressuring victims into paying a ransom.\r\nWhen a ransomware gang attacks a corporate target, they first steal data from the network and then encrypt files. This stolen\r\ndata is used as leverage in double-extortion attacks, warning victims that the data will be leaked if a ransom is not paid.\r\nRansomware data leak sites are usually located on the Tor network as it makes it harder for the website to be taken down or\r\nfor law enforcement to seize their infrastructure.\r\nhttps://www.bleepingcomputer.com/news/security/clop-now-leaks-data-stolen-in-moveit-attacks-on-clearweb-sites/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/clop-now-leaks-data-stolen-in-moveit-attacks-on-clearweb-sites/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nHowever, this hosting method comes with its own issues for the ransomware operators, as a specialized Tor browser is\r\nrequired to access the sites, search engines do not index the leaked data, and the download speeds are typically very slow.\r\nTo overcome these obstacles, last year, the ALPHV ransomware operation, also known as BlackCat, introduced a new\r\nextortion tactic of creating clearweb websites to leak stolen data that were promoted as a way for employees to check if their\r\ndata was leaked.\r\nA clearweb website is hosted directly on the Internet rather than on anonymous networks like Tor, which require special\r\nsoftware to access.\r\nThis new method makes it easier to access the data and will likely cause it to be indexed by search engines, further\r\nexpanding the spread of the leaked information.\r\nClop ransomware gang adopts tactic\r\nLast Tuesday, security researcher Dominic Alvieri told BleepingComputer that the Clop ransomware gang had started to\r\ncreate clearweb websites to leak data stolen during the recent and widespread MOVEit Transfer data theft attacks.\r\nThe first site created by the threat actors was for business consulting firm PWC, creating a website that leaked the\r\ncompany's stolen data in four spanned ZIP archives.\r\nSoon after Alvieri told BleepingComputer, the threat actors also created websites for Aon, EY (Ernst \u0026 Young), Kirkland,\r\nand TD Ameritrade.\r\nNone of Clop's sites are as sophisticated as the ones created by ALPHV last year, as they simply list links to download the\r\ndata rather than having a searchable database like BlackCat's sites.\r\nClearweb site created to leak PWC data\r\nSource: BleepingComputer\r\nA waste of time?\r\nThese sites aim to scare employees, executives, and business partners who may have been impacted by the stolen data,\r\nhoping it causes them to exert further pressure on a company to pay the ransom.\r\nHowever, while there may be some benefits to leaking data in this way, they also come with their own problems, as putting\r\nthem on the Internet, rather than Tor, makes them far more easily taken down.\r\nhttps://www.bleepingcomputer.com/news/security/clop-now-leaks-data-stolen-in-moveit-attacks-on-clearweb-sites/\r\nPage 3 of 4\n\nAt this time, all of the known Clop clearweb extortion sites have been taken offline.\r\nIt is unclear if these sites are down due to law enforcement seizures, DDoS attacks by cybersecurity firms, or hosting\r\nproviders and registrars shutting down the sites.\r\nDue to the ease with which they can be shut down, it is doubtful that this extortion tactic is worth the effort.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/clop-now-leaks-data-stolen-in-moveit-attacks-on-clearweb-sites/\r\nhttps://www.bleepingcomputer.com/news/security/clop-now-leaks-data-stolen-in-moveit-attacks-on-clearweb-sites/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/clop-now-leaks-data-stolen-in-moveit-attacks-on-clearweb-sites/" ], "report_names": [ "clop-now-leaks-data-stolen-in-moveit-attacks-on-clearweb-sites" ], "threat_actors": [ { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434367, "ts_updated_at": 1775791780, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2fb54a41327954ed1ac289f40bb482052ffa1792.pdf", "text": "https://archive.orkl.eu/2fb54a41327954ed1ac289f40bb482052ffa1792.txt", "img": "https://archive.orkl.eu/2fb54a41327954ed1ac289f40bb482052ffa1792.jpg" } }