Almost two months after the initial MOVEit breach, Cl0p is now leaking private data and threatening to release more on the regular (also known as “Clear”) web. With these releases, Cl0p is changing the ransomware/extortion game, trying to crank-up the pressure on many of the compromised entities.
When MOVEit was initially breached, Cl0p gave the breached entities two weeks to either pay a ransom or their data would be leaked. Some of these entities, such as accounting giant PricewaterhouseCoopers, refused to comply with Cl0ps demands, and now websites are popping up on the clear web with gigabytes of PricewaterhouseCoopers’s stolen data.
This behavior indicates a strategy shift for ransomware groups. In the past, it was common for ransomware groups to leak data on the dark web. There are many advantages to posting leaked data to the dark web. First, prospective buyers get to view portions of the leaked data, verifying its legitimacy before agreeing to a price. Second, the files are harder for law enforcement agencies to target and take down. And third, dark web positioning makes it harder for law enforcement to trace the data back to a point of origin.
However, the dark web poses issues with visibility and accessibility. The information is technically available to anyone, but someone would need a specialized Tor browser, and operational knowledge to access the Tor networks. On top of that, most of these Tor networks offer painfully slow download speeds, sometimes as slow as single kilobytes per minute, making gigabytes of data unrealistic to download. To work around this, Cl0p began to post this data on publicly accessible domains on the clear web.
The clear web, the web that most internet users frequent daily, poses its own set of challenges. Cl0p risks these sites taken down quickly by law enforcement, requiring both Cl0p and law enforcement to engage in a game of "whac-a-mole." Indeed, the website on which Cl0p posted PricewaterhouseCoopers' data is now inaccessible, and it is impossible to know if Cl0p took the site offline voluntarily or if law enforcement were involved. However, the one major advantage to clear web posting offers is accessibility. Anyone with access to a browser like Google or Firefox and the right URL can immediately access all this data.
The intention behind these “clear web leaks” is to put more pressure on the entities to pay the ransom/extortion demand and get the data taken down. While it is true that, with enough effort, anyone can access data leaked on the dark web, it does not cause the same uproar as a posting to the clear web. With all the hurdles in place to access the information on the dark web, it tends to be “out of sight, out of mind.” However, with any company employee, executive, or any person computer savvy enough to open Google, the data becomes instantly accessible at a reasonable download speed, increasing the pressure on the data owner(s).
For PricewaterhouseCoopers, who boasts clients such as JPMorgan, Johnson & Johnson, and the Ford Motor Company, stolen data is not just going to contain personally identifiable information. The sensitivity and exploitability of major accounting data like this poses a significant potential for abuse. For example, if an accounting firm is performing financial due diligence in advance of a prospective merger between two publicly traded companies, the leak of such data can manipulate stock prices or give rise to insider trading.
Moving forward, this type of extortion is likely going to be the model followed by other ransomware groups. Cl0p is aware that pressure is the best way to get these companies to fold and pay the ransom, and they know that cranking up the visibility of these leaks is the best way to ensure that companies feel that pressure. The public nature of these clear web leaks ensures that news will spread fast, which also puts more pressure on these companies to give in to the demands and pay the ransom.