A cybercrime syndicate used by the Clop ransomware gang is substantially more prevalent than any other cybercrime syndicate in exploiting the MOVEit vulnerability than any other. As an additional complication, the ransomware gang's data stolen through the MOVEit vulnerability is now leaked onto the Clearweb domain.
It was reported in May of this year that a ransomware gang known as the Clop ransomware group exploited a vulnerability in the MOVEit file transfer software. This vulnerability exposed the data of hundreds and thousands of companies and organizations, including Boots, British Airways, the BBC, and many others.
As a result of the ransomware gang's efforts to leak data stolen through MOVEit, publicly accessible websites have been set up. In general, ransomware leak sites are commonly hosted on open-source privacy networks that allow web users to surf anonymously, so law enforcement has trouble accessing the infrastructure. As opposed to this, this type of website is hosted on a public server. This allows the site to be indexed by search engines and amplified through these means.
A report published by Bitdefender reports that many of those who made payments handed out substantially more than the global average ransomware amount, just $740,144 (£577.34), an increase of 126% from the first quarter of 2023, which is a record level. Coveware estimates that it earned approximately $75-100 million from victims hit with extremely high ransoms for a small number of victims.
Based on the data provided by Coveware, the approximate earnings of the attackers range from $75-100 million (£58.7-78 million), from just a small number of victims who paid extremely high ransoms.
It has been reported by security researcher Dominic Alvieri that the hacking group created and released its first public access website to leak data stolen from PWC, which is a business consulting firm, for the past two years during his research on the clop operation. In the last couple of years, the website has been taken down from the internet.
A Clop ransomware gang exploits an ALPHV version of its extortion tactic to spread ransomware. It takes advantage of the Internet by creating websites that target specific victims to leak their data and further pressurise them into paying ransoms.
Data is stolen from corporate networks when a ransomware gang attacks a target. As a result of the ransomware, this data is encrypted. When victims do not pay the ransom, they will receive a notification that their data will be leaked if payment is not made. This is the most common part of double-extortion attacks.
There are usually sites on the Tor network that are responsible for leaking ransomware data in the form of leaks. The more secure the website is, the more difficult it is for law enforcement to seize the web infrastructure or take down the website if they want to take down the website. Despite this, running a ransomware operation is associated with many unique problems due to its hosting method.
There are several barriers to accessing leaked sites, including a specialised Tor browser. In addition, there is a lack of indexation of leaked data by search engines and very slow download speeds.
ALPHV, also known as BlackCat, a ransomware operation from China, introduced an innovative extortion tactic last year by creating clear websites to leak stolen data. This was so that employees could check if their data was compromised and was designed to prevent it from being leaked in the future.
As the name suggests, a clear website is hosted directly on the Internet. It does not need any special software to be accessed, like an anonymous network like Tor. Using this new method, we will be able to access and access the leaked data more easily and it will likely cause the data to be indexed by search engines in the future, thus causing the leak to spread increasingly.
Security researcher Dominic Alvieri has discovered that the Cl0p ransomware gang has just publicly posted the data that they have stolen from the MOVEit Transfer platform in May in the public domain. Due to a zero-day vulnerability found in the secure file transfer platform, the gang exploited a vulnerability in that platform to compromise hundreds of businesses and government institutions across the globe and lead to hundreds of data breaches.
There are several differences between Clop's dumps and those of some previous infiltrations. The most noticeable is that the data has been released in large files rather than organized into specific searchable items. In addition, the site has not been hosted on the Tor network.
Dark Web vs Clear Web
A Clear Web is one of the portions of the internet that is easy to use and can be indexed by search engines like Google. It is also known as the Surface Web or Visible Web because it makes up a part of the web that is easily accessible. Generally speaking, it describes websites and web pages that are accessible through standard web browsers and do not require any special configuration to be used.
Alternatively, the Dark Web is one of the areas of the internet that is intentionally hidden from traditional search engines and hence is not indexed by them. To access the Dark Web, you will need specialized software, such as the Tor browser, which allows you to perform anonymous and secure operations while browsing the Dark Web.
In addition to anonymity, this domain name allows users to access hidden websites using the ".onion" extension. On the Dark Web, there are many illicit activities, illegal markets, and anonymous forums where users can communicate anonymously with one another without revealing their identities. These activities are often associated with illicit activities.
Cybercrime has recently developed clearnet websites hosted on the surface web. These websites extort stolen data to blackmail their victims. As part of its blackmail campaign, Clop has recently developed this tactic. As to their first attempt to leak data, they had to upload four spanned ZIP archives, which they had stolen from the PWC business consulting firm. TD Ameritrade, Aon, Kirkland, Ernest & Young, and TD Ameritrade later used claims of leaks by Cl0p to leak data from their systems to the public.
They aim to create panic among employees, executives, and business partners affected by stolen data. This is so that they will exert additional pressure on the company to pay the ransom to lower their security.
Even though there may be some benefits to leaking data in this way, they also have their own set of problems. This is because they are much easier to take down when put on the internet rather than Tor.
Currently, all known Clop Clearweb extortion sites have been taken offline, meaning they cannot be accessed. This is unclear whether these sites are being shut down because of law enforcement seizures, DDoS attacks carried out by cybersecurity firms, or because hosting companies and registrars are shutting them down until further notice. It's questionable whether this extortion tactic is worth the effort since it can easily be shut down, and that they can be shut down at any time.