We have been closely following the Cl0p ransomware attacks, affecting dozens of organisations worldwide, and assisting clients worldwide with the fallout.

Attackers have exploited a series of vulnerabilities in file sharing software MOVEit Transfer to steal sensitive data such as personal and financial information (e.g., national identity numbers and credit card data of customers) and the situation is unfolding rapidly.

The first vulnerability was discovered on 31 May 2023, but two more were found later. Because these are zero-day vulnerabilities, they were unknown to the vendor (Progress) and the public until they were exploited.

Progress released patches for all three vulnerabilities by 16 June 2023 but the damage has been done.

The threat actor has now published a list of compromised organisations on the dark web, spanning multiple jurisdictions and sectors including government, education, transportation, energy, technology, insurance and healthcare. That list is growing by the day.

What is concerning about this attack is that the breaches affect not only organisations that used MOVEit directly – but also those that had data transferred to or from MOVEit systems hosted by other file transfer providers. Even if you do not use MOVEit yourself, you may still be at risk.

Also, the modus operandi of the threat actor differs from other ransomware attacks; in that they have not sent ransom demands, but threatened to dump the data obtained by 14 June 2023 – seven days after the breach occurred – if they were not contacted.

This is possibly due to the scale of these attacks and the vast amount of data stolen, as the threat actor itself is still taking time to consider how to maximise their gain from their operations.

As of 23 June 2023, around 16% of C10p's claimed victims have had their data posted online, and we suspect the threat actor is likely to release data in stages.

We are monitoring the situation but in the meantime, organisations should take immediate precautions to protect any sensitive data.

If you are concerned about your potential exposure, consider the following steps:

  • Check if you or any of your suppliers or partners has used MOVEit
  • Apply all available patches for MOVEit vulnerabilities as soon as possible
  • Restrict network access to MOVEit to only trusted IP addresses and entities, e.g., by using firewall rules and certificate-based access control
  • Enable multi-factor authentication to prevent unauthorised access to MOVEit
  • Consult specialist cyber forensic firms if necessary

These steps will be insufficient if sensitive data has already been exfiltrated from your network.

You will need to adopt a comprehensive approach and seek assistance in mitigating the breach and managing legal and reputation risks, as well as the prospect of regulatory enquiries or investigations or even claims.

Structuring approach to a cyberattack in a way that protects your interests, such as your legal privileges over communications and documents, is a sophisticated task which requires a highly concerted effort to handle multiple work streams simultaneously.

These include conducting a forensic investigation; preserving evidence; maintaining a detailed chronology; complying with notice and investigative requirements; and briefing insurance carriers.

Managing complex cyber security incidents requires assembling a team of professionals highly experienced in handling crisis situations with a strong collaborative culture. You don't need to go at it alone.

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.

© Copyright 2023. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.