Chris Swagler | August 22nd, 2023

MoveIt Transfer

In the ever-evolving landscape of cyber threats, ransomware attacks have taken a dramatic turn, with traditional methods taking a backseat to newer, more sophisticated techniques. The notorious Clop ransomware gang has been at the forefront of this evolution, exploiting zero-day vulnerabilities in Progress Software’s MoveIt Transfer product to claim victims worldwide. As we delve into the latest data and incidents, it becomes apparent that the targets of these attacks are businesses, public institutions, and healthcare providers.

The Changing Face of Ransomware Attacks

Over the past year, ransomware gangs have shifted their focus from mere encryption to data theft and exposure, accompanied by aggressive extortion tactics. The MoveIt Transfer attacks serve as a clear example of this transformation. These incidents involve the theft and disclosure of sensitive data without immediate encryption, making them even more insidious and challenging to deal with.

The Magnitude of MoveIt Transfer Attacks

According to on editorial’s comprehensive tracking of ransomware incidents, the number of traditional ransomware attacks decreased in July. However, attacks related to the zero-day vulnerability in MoveIt Transfer continued to surge. At least 29 new victims were discovered two months after the initial attack, affecting various organizations, including Johns Hopkins University, the University of Rochester, and 1st Source Bank. The latter confirmed that the attack had impacted a staggering 450,000 customers.

Alarming Numbers: Over 40 Million People Impacted

One cybersecurity vendor actively monitoring the MoveIt Transfer attacks reported that the number of victim organizations had reached a concerning 566, impacting more than 40 million individuals worldwide. These figures include names on Clop’s data leak site, with some victims yet to confirm their involvement.

Estee Lauder’s Cybersecurity Incident

One of the high-profile victims of these attacks was Estee Lauder, which confirmed a cybersecurity incident in July. While the exact details of the attack remain unclear, the company faced subsequent listing on two ransomware groups’ public data leak sites: Cl0p operators related to the MoveIT attacks and the BlackCat ransomware group. Questions lingered about the involvement of encryption and whether there were two separate attacks.

Public Sector and Healthcare Under Siege

The public sector and healthcare organizations also fell prey to ransomware attacks in July. The City of Hayward, California, declared a state of emergency after experiencing prolonged disruptions to its network. Fortunately, the city resisted paying the ransom, and its network was gradually restored. Similarly, the Town of Cornelius, N.C., took immediate action by isolating its systems to prevent further damage, with successful restoration underway.

In Wisconsin, the Langlade County Sherriff’s Office faced a catastrophic software failure, resulting in a complete shutdown of phone lines. The LockBit ransomware group claimed responsibility for the incident.

The healthcare sector, a common target for ransomware groups, also experienced a significant breach. Tampa General Hospital in Florida successfully prevented encryption during an attack in May. However, sensitive patient data belonging to over 1.2 million individuals was still exfiltrated, highlighting the importance of robust cybersecurity measures for healthcare providers.

Ransomware attacks continue to evolve, with the Cl0p ransomware gang leading the charge by exploiting zero-day vulnerabilities in MoveIt Transfer. The impact is vast, affecting millions of individuals and organizations worldwide. As cybercriminals grow bolder and more sophisticated, businesses, public institutions, and healthcare providers must fortify their defenses, implement robust cybersecurity protocols, and stay vigilant against the ever-present threat of ransomware attacks. We can combat this escalating menace and safeguard our digital world through a collective effort. At SpearTip, our certified engineers conduct gap analysis by comparing technology and internal personnel and discover blind spots in companies that can lead to significant compromises. Additional value is provided to insights the SpearTip Advisory Services team gives when the Gap Analysis is completed in conjunction with one, some, or all of our Technical Security Assessments. Identifying technical vulnerabilities inside and outside companies provides a deeper context to potential environmental gaps. SpearTip engages with companies’ people, processes, and technology to measure the security environment’s maturity.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.