Cl0p Deadline Day: Will They Leak The Data This Week?

Last week, the Cl0p ransomware group issued an ultimatum to Moveit victims. They threatened to leak their data if they hadn’t received a ransomware payment by the 14th June/today.

Hüseyin Can Yuceel is a security researcher at Picus Security, a company specialising in simulating the attacks of criminal gangs like Cl0p. Here, he discusses how he expects the scenario to play out this week:

The CL0P ransomware group has claimed to have compromised more than 230 companies worldwide and says it will release exfiltrated sensitive data of their victims on their leak site. Since the purpose of threatening to release stolen data is to pressure the victims into paying the demanded ransom, CL0P may not release the data in its entirety this week. However, previous attacks show that they are not bluffing.

Depending on the victims and their willingness to pay the ransom, CL0P may release stolen sensitive data partially over time or in its entirety this week.

There is a growing trend among ransomware groups of double extortion. In the double extortion method, ransomware groups exfiltrate organisations’ sensitive data prior to encryption and give deadlines for payment to pressure victims into paying the ransom. If victims do not pay the demanded ransom, adversaries will release the sensitive data to harm their victims’ reputations.

As for how potential Cl0p victims should respond. Prevention is always the number one priority against ransomware attacks. After ransomware infection, there is not much that can be done. Even if backups are in place, ransomware groups can release their victims’ sensitive data and harm their reputation. Law enforcement agencies advise businesses not to pay ransoms because ransomware groups may not deliver the decryption key after the payment. There are also other risks with ransom payments.

We have observed that organisations known to pay the ransom are much more likely to be targeted by the same or other ransomware groups in the future. Ransomware payments can also perpetuate the ransomware threat and are used to fund other illegal activities.

In the UK, there are also strict financial sanctions against making of ransomware payments to Russian ransomware organisations. The Office of Financial Sanctions Implementation considers ransom payments as a breach of financial sanctions, which is a serious criminal offense and can carry a custodial sentence and the imposition of a monetary penalty.

Ransomware victims in the UK should therefore report the attack to the National Cyber Security Centre and request support for managing the cyber incident if needed.