We’ve Been Clop-ed

The Nova Scotia government announced on Monday that it was investigating the theft of personal information stolen through a global privacy breach of a file transfer system called MOVEit.

Colton LeBlanc

Colton LeBlanc, in his capacity as minister of cyber security and digital solutions, held what the Halifax Examiner‘s Zane Woodford termed a “hastily called Sunday afternoon press conference” to explain that the province had been advised on June 1st of a “critical vulnerability” in the system by its owner, Bedford, Massachusetts-based Progress, which acquired MOVEit developer Ipswitch in 2019.

The Nova Scotia government was one of the first victims of the breach to come forward, along with the payroll service Zellis, British Airways, the BBC and the UK retailer Boots. According to Dan Goodin at Ars Technica:

Both Nova Scotia and Zellis had their own instances or cloud services breached. British Airways, the BBC, and Boots were customers of Zellis.

On Tuesday, the province announced it had determined the breach had involved the personal information of “many” employees of Nova Scotia Health, the IWK Health Centre and the public service. A press release stated:

So far, the provincial investigation indicates that social insurance numbers, addresses and banking information were stolen. The amount and type of information depends on the employer. This information was shared through the MOVEit file transfer service because this service is used to transfer employee payroll information.

The information of past employees of Nova Scotia Health and the public service may also have been stolen.

The investigation has not yet determined how many employees have been impacted, but initial estimates suggest as many as 100,000. This number could go up or down. The Province will provide more specific numbers as the investigation continues.


Gov’t data spared?

On Sunday night (June 4), Microsoft Threat Intelligence attributed the attacks to the Lace Tempest hacking group, “known for ransomware operations & running the Clop extortion site.” On Monday, Lawrence Abrams at BleepingComputer reported “the Clop ransomware gang” had told them (in what appears to have been an exchange of emails) that they were behind the MOVEit attacks:

The Clop representative further confirmed that they started exploiting the vulnerability on May 27th, during the long US Memorial Day holiday…

This is the illustration BleepingComputer uses for its Clop articles. It is the work of  sebastiaan stam on Unsplash who captioned it, “man squatting during nighttime.”

Abrams says conducting attacks around holidays, when staffing is at a minimum, is a “common tactic for the Clop ransomware operation”:

Furthermore, the ransomware gang confirmed that they have not begun to extort victims, likely using the time to review data and determine what is valuable and how it could be used to leverage a ransom demand from breached companies.

Clop (more about which in a moment) would not tell BleepingComputer how many organizations had been breached, but said “victims would be displayed on their data leak site if a ransom was not paid.”

Then, “unprompted,” the Clop rep told BleepingComputer that:

…they had deleted any data stolen from governments, the military, and children’s hospitals during these attacks.

“I want to tell you right away that the military, children’s hospitals, GOV etc like this we no to attack [sic], and their data was erased,” Clop said in their email to BleepingComputer.

Big if true, as they say on Twitter, but there’s no way of knowing. Writes Abrams:

BleepingComputer has no way of confirming if these claims are accurate, and like any data-theft attack, all impacted organizations should treat it as if the data is at risk for abuse.

BleepingComputer also says the Clop gang is “known to wait a few weeks after data theft before emailing company executives with their demands.” The publication says that in a ransom note sent following a recent extortion attack, Clop threatened to sell an organization’s information on the black market and “publish it on our blog which receives 30-50 thousand unique visitors per day.”

“Historically,” says BleepingComputer:

…once Clop begins extorting victims, they will add a stream of new victims to their data leak site with threats that stolen files will soon be published to apply further pressure in their extortion schemes.

And in case you’re wondering, “advertising” their breaches to reporters is apparently one of a variety of extortion techniques used by Clop, according to UNIT 42, the cyber security arm of Palo Alto Networks.

And BleepingComputer  is considered a reliable source by the Canadian Centre for Cyber Security, which cites it in its article on Ransomware.


Cl0p ransomware

According to Unit 42, Clop ransomware was first sighted in February 2019, at which point it had no leaking website. Clop is “a variant of a previously known strain” of ransomware called CryptoMix and, initially, it was distributed through “malicious spam” (think phishing emails). Now, however, it’s being used “in targeted campaigns against high-profile companies.”

A classic ransomware attack sees a “threat actor” (per Wikipedia: “a person or a group of people that take part in an action that is intended to cause harm to the cyber realm”) gain access to a computer system, encrypt the victim’s files and demand a ransom to decrypt them. Abrams says that while Clop “started as a ransomware operation,” the group had “previously told” the publication that they were “moving away from encryption and prefer data-theft extortion instead.”

Obligatory photo of hands on a keyboard. (Photo by Colin via Wikimedia Commons)

In doing so, they seem to be following a general cybercrime industry trend. As Jessica Lyons Hardcastle explained in The Register in June 2022:

Increasingly…cybercrime rings still tracked as ransomware operators are turning toward primarily data theft and extortion – and skipping the encryption step altogether. Rather than scramble files and demand payment for the decryption keys, and all the faff in between in facilitating that, simply exfiltrating the data and demanding a fee to not leak it all is just as effective. This shift has been ongoing for many months, and is now virtually unavoidable.

In February of this year, Clop claimed responsibility for attacks that exploited a vulnerability in GoAnywhere, a managed file transfer (MFT) software program like MOVEit, telling BleepingComputer they’d stolen data from over 130 organizations. Clop was also linked to attacks exploiting flaws in Accellion’s file transfer application.

The “Clop gang” is described variously as “Russian” or “Russian-speaking” or “Russian-linked.” Vladimir Putin is generally—as in this Wired article—seen as enforcing a “don’t hack at home,” rule whereby he tolerates ransomware groups provided they don’t target Russian companies.

That said, in January 2022—as in, the month before Putin invaded Ukraine—Russian authorities announced they had dismantled the ransomware group REvil and charged several of its members. The BBC called it “a monumental moment in cyber-crime and cyber-relations between the US and Russia” and even suggested it might point to “a thawing of relations” between the super powers. (Not quite.)

Since the invasion of Ukraine, BleepingComputer reports that ransomware gangs and hackers have been “picking sides” in the conflict. (Ukraine, I should note, arrested multiple suspects” believed to be linked to Clop in June 2021.)



What I did not realize about ransomware…wait, let me rephrase that: one of the many things I did not realize about ransomware, because I know nothing about ransomware, is that there is such a thing as ransomware-as-a-service or RaaS and that it is basically a variation of the software-as-a-service business model.

Kurt Baker, writing on the Crowdstrike website earlier this year, explained that Raas allows “affiliates” to pay to launch ransomware attacks developed by “operators.”

RaaS kits allow affiliates lacking the skill or time to develop their own ransomware variant to be up and running quickly and affordably. They are easy to find on the dark web, where they are advertised in the same way that goods are advertised on the legitimate web.

A RaaS kit may include 24/7 support, bundled offers, user reviews, forums and other features identical to those offered by legitimate SaaS providers. The price of RaaS kits ranges from $40 per month to several thousand dollars – trivial amounts, considering that the average ransom demand in 2021 was $6 million. A threat actor doesn’t need every attack to be successful in order to become rich.

Hands on the keyboard of an Underwood typewriter.

The good old days of analog crime.

Microsoft says the Raas programs can include:

…a suite of extortion support offerings, including leak site hosting and integration into ransom notes, as well as decryption negotiation, payment pressure, and cryptocurrency transaction services.

Claire Tills, a senior research engineer at Tenable, told The Register‘s Jeff Burt that the “notorious Raas gang” LockBit had gone so far as to mandate “extortion-only attacks for particular targets” like hospitals, where encrypting documents can “prevent people getting treated and hold up procedures and medications,” whereas “exfiltration [of data] is not as destructive or disruptive as ransomware.”

In January this year, LockBit posted an apology on its data leak site 13 days after an affiliate attacked Toronto’s Hospital for Sick Children, impacting lab and imaging results, phone lines and the hospital payroll system. According to IT World Canada, the note said:

We formally apologize for the attack on sickkids.ca and give back the decryptor for free. The partner who attacked this hospital violated our rules, is blocked, and is no longer in our affiliate program.

SickKids subsequently issued a statement saying its third-party IT recovery advisors were “assessing the decryptor,” but that IT restoration efforts had already been “progressing well.” The hospital said it did not make a ransomware payment.

Brett Callow, a B.C.-based threat analyst for Emsisoft, told IT World that this wasn’t the first time a ransomware group had given a victim help, although his first example—the Conti ransomware gang making a decryptor available after “an attack that crippled Ireland’s Health Services Executive (HSE)”—was somewhat underwhelming, given the code supplied was “flawed and buggy” and officials concluded it might be quicker “to manually restore the systems from back-ups.” There were also concerns the software could contain “backdoors” facilitating further attacks.


Cyber Hygiene

This is a difficult subject to write about because so much of the information out there comes from law enforcement agencies and cybersecurity firms with a vested interest in convincing you that ransomware is “a pandemic of epic proportions.”

Less hysterical voices say protecting against ransomware (and data-theft extortion) attacks comes down to good “cyber hygiene” and that sounds sensible, until you think about what it entails and realize it puts an impossible burden on internet users—change all your passwords regularly; don’t write them on sticky notes on your computer; research how apps share your data with third parties; use two-factor identification for all your accounts; don’t use messaging applications over public Wi-Fi; think about where your data is being stored and which nation’s laws will apply to your information (!)

Canada’s Communications Security Establishment offers Cyber Hygiene tips that I believe are intended for public employees and that seem to suggest the only way to communicate “sensitive information” securely is by mail or in person:



There’s also a debate to be had about who, exactly, are the “good guys” in our digital world. Holding a hospital’s data for ransom is plainly wrong, but so is collecting “vast amounts of location information” from unsuspecting people who’ve downloaded your app and that last wasn’t the work of a Russian-speaking ransomware gang, that was Tim Hortons.

As I write this on Wednesday morning, there have been no further updates from the provincial government about the data breach but it can apparently take as long as a month for a target to receive a ransom note, so stay tuned.