The Clop ransomware gang’s recent rampage of MOVEit vulnerability exploitation has earned it a $10 million bounty from the US Department of State’s “Reward For Justice” program, but takers will need to show that the hackers sold stolen data to a foreign government.
Clop ransomware has yet to actually be deployed in any of the breaches during this recent spree. The group has stuck to exfiltrating sensitive internal data and threatening to leak it, but has also said that it will delete all stolen government data.
$10 million “Reward For Justice” seeks to deter leak of government information
The Clop ransomware criminals appear to have learned lessons from the fate of other recent “top dogs” in their industry, like REvil and Conti, and have kept threats of leaking stolen government information from their dark web site thus far. But the US Department of Energy reports that the group approached it twice with private ransom notes regarding their recent MOVEit breach, which they did not respond to. The Reward for Justice bounty is likely a direct response to that development.
The group has not yet been observed sending private or targeted ransom notes to any other victims. It has addressed them all at once via the Clop ransomware dark web portal, advising the first wave of over a dozen companies that they would need to begin negotiations by June 14 or have their stolen data dumped to the public. More victims are expected to appear on this list in the near future, as many other organizations have self-reported MOVEit breaches.
It is unclear whether the Reward for Justice offer will actually deter Clop ransomware members from selling valuable government information. It is less likely to be cashed in than that it was a warning that Clop could be the next to face the international law enforcement pressure that groups like REvil have crumbled under when they crossed certain red lines. However, this could also prompt Clop to follow the example of groups like Conti and preemptively break into smaller cells (and likely take the sensitive data with them). Clop has already weathered a 2021 wave of arrests of members in Ukraine.
Clop ransomware yet to be deployed, but highly sensitive data confirmed stolen
The Clop ransomware group managed to penetrate a number of different federal agencies, as well as a wide variety of state agencies. There isn’t much information about what was taken from the federal agencies, but some of the state agencies were hit hard, particularly the driver’s license offices of Oregon and Louisiana. It is also possible that medical records were accessed in Colorado.
All of this falls under the heading of the sort of government data that Clop promises to delete. However, with no way to verify if that has happened, the Reward for Justice payment provides at least a potential way of keeping tabs on transactions in the criminal underground. $10 million is toward the high end of funds authorized by the program since its inception in 1984; there is a standing offer of that amount on actionable information involving critical infrastructure attacks, and for five key founding members of the disbanded Conti group.