Clop ransomware, the perpetrator behind the MOVEit Transfer supply chain attacks, is now leaking the stolen data on the surface internet.

Similar to BlackCat ransomware, Clop set up a straightforward website recently to extort its victims better. This method is more effective than the current means of leaking through darknet sites, which have limited reach. Although, they’re subject to quick removal upon detection, and Clop’s locations have been removed as of writing this.

Clearnet Sites of Clop Ransomware

The Clop gang is a prominent threat actor in the ransomware space, having hit notable companies and earning millions of dollars in ransom. Levelling up the game, the Clop ransomware has recently set up a clearnet website to dump all the stolen data from its MOVEit Transfer supply chain attack.

Initially, they set up a dedicated website for dumping the PWC’s data, where they shared the dump in four spanned ZIP archives. Anyone on the surface web with links to this site can easily download the stolen data, putting the company’s staff and customers at risk.

And days after this, the threat actors have also created websites for Aon, EY (Ernst & Young), Kirkland, and TD Ameritrade – listing all their stolen data for public downloads. Though this technique helps the Clop gang to exert pressure on the victims, they’re not so effective in this means.

The listed dumps are downloadable large files rather than searchable for specific items like BlackCat ransomware – which had set up a clearnet website last year. And since such clearnet sites are hosted on the surface internet, they’re subject to quick removal upon detection.

As of writing, all the clearnet sites of Clop ransomware were taken down – though we don’t know the reason why. Thus, the data dumping on the clearnet website is not worth the effort, though it has perks.