{
	"id": "f6edfca4-e2e7-41ee-b647-10c096e8ad68",
	"created_at": "2026-04-06T00:08:36.166446Z",
	"updated_at": "2026-04-10T13:11:48.548068Z",
	"deleted_at": null,
	"sha1_hash": "a66fe88f9c4727465838f8a2b64d09d999af491a",
	"title": "Clop ransomware gang starts extorting MOVEit data-theft victims",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1030241,
	"plain_text": "Clop ransomware gang starts extorting MOVEit data-theft victims\r\nBy Lawrence Abrams\r\nPublished: 2023-06-15 · Archived: 2026-04-05 21:13:24 UTC\r\nThe Clop ransomware gang has started extorting companies impacted by the MOVEit data theft attacks, first listing the\r\ncompany's names on a data leak site—an often-employed tactic before public disclosure of stolen information\r\nThese entries come after the threat actors exploited a zero-day vulnerability in the MOVEit Transfer secure file transfer\r\nplatform on May 27th to steal files stored on the server.\r\nThe Clop gang took responsibility for the attacks, claiming to have breached \"hundreds of companies\" and warning that their\r\nnames would be added to a data leak site on June 14th if negotiations did not occur.\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-gang-starts-extorting-moveit-data-theft-victims/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-gang-starts-extorting-moveit-data-theft-victims/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nIf an extortion demand is not paid, the threat actors say they will begin leaking stolen data on June 21st.\r\nClop begins extorting companies\r\nYesterday, the Clop threat actors listed thirteen companies on their data leak site but did not state if they were related to the\r\nMOVEit Transfer attacks or were ransomware encryption attacks.\r\nSince then, one of the companies, Greenfield CA, has been removed, indicating the listing was either a mistake or\r\nnegotiations are taking place.\r\nFive of the listed companies, British multinational oil and gas company Shell, UnitedHealthcare Student Resources (UHSR),\r\nthe University of Georgia (UGA) and University System of Georgia (USG), Heidelberger Druck, and Landal Greenparks,\r\nhave since confirmed to BleepingComputer that they were impacted in varying degrees by the MOVEit attacks.\r\nShell said only a small number of employees and customers were impacted and Landal told BleepingComputer the threat\r\nactors accessed the names and contact information for approximately 12,000 guests.\r\nThe University System of Georgia, University of Georgia, and UnitedHealthcare Student Resources told BleepingComputer\r\nthey are still investigating the attack and will disclose any breaches if discovered.\r\nGerman printing company Heidelberger Druck told BleepingComputer that while they use MOVEit Transfer, their analysis\r\nindicates it did not lead to any data breach.\r\nPutnam Investments, who is also listed on Clop's data leak site, told BleepingComputer they are looking into the matter.\r\nWhile the other companies listed on Clop's site have not responded to our emails, Macnica security researcher Yutaka\r\nSejiyama shared data with BleepingComputer confirming that they currently use the MOVEit Transfer platform or have\r\ndone so in the past.\r\nAlready disclosed data breaches\r\nOther organizations who have already disclosed MOVEit Transfer breaches include, Zellis (BBC, Boots, and Aer\r\nLingus, Ireland's HSE through Zellis), the University of Rochester, the government of Nova Scotia, the US state of Missouri,\r\nthe US state of Illinois, BORN Ontario, Ofcam, Extreme Networks, and the American Board of Internal Medicine.\r\nIn similar attacks in the past using zero-day vulnerabilities in Accellion FTA, GoAnywhere MFT, and SolarWinds Serv-U managed file transfer attacks, the threat actors demanded $10 million ransoms to prevent the leaking of data.\r\nBleepingComputer has learned the extortion operation was not very successful in the GoAnywhere extortion attempts, with\r\ncompanies preferring to disclose data breaches rather than pay a ransom.\r\nToday, CNN reported that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) was working with several\r\nU.S. federal agencies had also been breached using the MOVEit zero-day vulnerability. Two U.S. Department of Energy\r\n(DOE) entities were also compromised, according to Federal News Network.\r\nHowever, the Clop threat actors previously told BleepingComputer that they automatically deleted any data stolen from the\r\ngovernment.\r\n\"I want to tell you right away that the military, children's hospitals, GOV etc like this we no to attack, and their data was\r\nerased,\" claimed the ransomware operation.\r\nUnfortunately, once data is stolen, there is no way to confirm if data is actually deleted as promised, and should be assumed\r\nto be at risk.\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-gang-starts-extorting-moveit-data-theft-victims/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/clop-ransomware-gang-starts-extorting-moveit-data-theft-victims/\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-gang-starts-extorting-moveit-data-theft-victims/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/clop-ransomware-gang-starts-extorting-moveit-data-theft-victims/"
	],
	"report_names": [
		"clop-ransomware-gang-starts-extorting-moveit-data-theft-victims"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434116,
	"ts_updated_at": 1775826708,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a66fe88f9c4727465838f8a2b64d09d999af491a.pdf",
		"text": "https://archive.orkl.eu/a66fe88f9c4727465838f8a2b64d09d999af491a.txt",
		"img": "https://archive.orkl.eu/a66fe88f9c4727465838f8a2b64d09d999af491a.jpg"
	}
}