The Clop ransomware group has created the MOVEit exploit using a zero-day vulnerability in third-party file transfer software MOVEit Transfer, owned by Progress Software. The aim of the attack was data theft, particularly personally identifiable information (PII) from customer databases.

The vulnerability, now tracked as CVE-2023-34362, is believed to have been exploited since around May 27^th and has led to multiple waves of data breaches in the weeks following. Shortly after attacks began, Progress identified the vulnerability and a patch was offered in late May, though not all clients applied it. Since then, advisories on other vulnerabilities have been issued with fixes closely following.

The ransomware group gave impacted companies until June 14^th to contact them. On that deadline day, the names of 13 companies was released on their leak site. In the days that have followed, numerous other companies have been named. The group has stated that it will start publishing content from those organizations that do not negotiate an extortion payment by June 21^st.

Clop have recently released a statement claiming that it has erased all data stolen from government, city, and police services as they have “no interest to expose such information.”

The current victim list is massive and growing, and Clop continues to share new entries every day, which begs the question, how many companies have actually been affected by this attack? Some victims have publicly announced their involvement in the breach, other have simply been named by Clop themselves. We’ll be following this attack closely and updating this blog with new information as the story unfolds.

Let’s take a look at the victims that have been announced to date:

1. University of Rochester, based in Rochester, New York
2. Austrian Finance Market Authority
3. Zellis, UK based software development company
4. Government of Nova Scotia
5. BORN Ontario, healthcare organization in Canada
6. Extreme Networks, US based software development company
7. Synlab, French medical diagnostic service provider
8. Government of Illinois
9. Minnesota Department of Education
10. HSE, public health service in Ireland
11. Landal Greenparks, European holiday facilities
12. Ofcom, UK’s media watchdog
13. Ernst & Young (EY), global accountancy firm
14. Transport for London (TfL), UK government body
15. Prudential Assurance Malaysia Berhad (PAMB), Malaysian insurance company
16. Prudential BSN Takaful Berhad (PruBSN), Malaysian takaful company
17. State of Missouri
18. 1^st Source Bank, Michigan based bank
19. Datasite LLC, US based SaaS provider
20. First National Bankers Bank, US based bank services provider
21. GreenShield Canada, a non-profit benefits carrier
22. Heidelberger Druckmaschinen, German precision engineering company
23. Leggett and Platt, US based manufacturing firm
24. National Student Clearinghouse, US based educational not for profit organization
25. OKK, insurance company based in Switzerland
26. Putnam Investments, US based investment management firm
27. United HealthCare Services, US based health insurance firm
28. Shell, British multinational gas company
29. University of Georgia, based in Athens, Georgia
30. John Hopkins University and Health System, based in Baltimore, Maryland
31. HealthEquity, US based financial technology and business services provider
32. CU*Answers, US based software company
33. NavAXX S.A., Luxembourg based financial services company
34. Delaware Life, US based insurance company
35. Fiduciary Outsourcing, US based fiduciary retirement plan administration provider
36. Enzo Biochem, US based medical diagnostics firm
37. CareServices LLC, US based healthcare services provider
38. Genericon Pharma, Pharmaceutical company based in Austria
39. Brault, US based technology firm
40. A + Federal Credit Union, Texas based Credit Union
41. Bar Harbor Bank, US based bank
42. Power Financial Credit Union, South Florida based Credit Union
43. East West Bank, US based bank
44. US Department of Energy’s Waste Isolation Pilot Plant
45. Oak Ridge Associated Universities, based in Oak Ridge, Tennessee
46. Louisiana’s Office of Motor Vehicles (OMV)
47. Oregon Department of Transportation
48. Marti Group, Swiss contracting company
49. PRA Group, US based debt collection agency
50. Umpqua Bank, US based bank
51. University of Missouri, based in Columbia, Missouri
52. IC System, US based debt collection services
53. ARBURG, European plastics manufacturer
54. Boston Globe, US daily newspaper
55. China CITIC Bank, commercial banking company
56. STIWA Group, Austrian manufacturing company
57. Cegedim SA, French technology company
58. Aon, global insurance company
59. Nuance Communications, US based software company
60. Pan American Life Insurance Group, US based insurance organization
61. Gesa, Washington based Credit Union
62. Telos, US based Information Technology company
63. Santa Clara University, based in California
64. Skillsoft, US based educational technology company
65. Cree Lighting, US-based LED lighting manufacturer
66. Gen Digital, the parent company of cybersecurity brands Avast, Avira, Norton and LifeLock
67. Stockman Bank, Montana based community bank
68. Baesman, US based marketing services provider
69. EMSS Inc, Hawaii based IT services and IT consulting organization
70. CBE, construction company based in Australia
71. Zurich Insurance Brazil
72. PricewaterhouseCoopers (PWC), global accounting firm.

Last update: 22nd June 2023 16:25