Clop ransomware, the perpetrator behind the MOVEit Transfer supply chain attacks, is now leaking the stolen data on the surface internet.

Similar to BlackCat ransomware, Clop set up a straightforward website recently to extort its victims better. This method is more effective than the current means of leaking through darknet sites, which have limited reach. Although, theyโ€™re subject to quick removal upon detection, and Clopโ€™s locations have been removed as of writing this.

Clearnet Sites of Clop Ransomware

The Clop gang is a prominent threat actor in the ransomware space, having hit notable companies and earning millions of dollars in ransom. Levelling up the game, the Clop ransomware has recently set up a clearnet website to dump all the stolen data from its MOVEit Transfer supply chain attack.

Initially, they set up a dedicated website for dumping the PWCโ€™s data, where they shared the dump in four spanned ZIP archives. Anyone on the surface web with links to this site can easily download the stolen data, putting the companyโ€™s staff and customers at risk.

And days after this, the threat actors have also created websites for Aon, EY (Ernst & Young), Kirkland, and TD Ameritrade โ€“ listing all their stolen data for public downloads. Though this technique helps the Clop gang to exert pressure on the victims, theyโ€™re not so effective in this means.

The listed dumps are downloadable large files rather than searchable for specific items like BlackCat ransomware โ€“ which had set up a clearnet website last year. And since such clearnet sites are hosted on the surface internet, theyโ€™re subject to quick removal upon detection.

As of writing, all the clearnet sites of Clop ransomware were taken down โ€“ though we donโ€™t know the reason why. Thus, the data dumping on the clearnet website is not worth the effort, though it has perks.