The Clop ransomware gang is expected to earn between $75-100 million from extorting victims of their massive MOVEit data theft campaign. In a new report released by Coveware, it is explained that the number of victims paying ransoms has fallen to a record low of 34%, causing ransomware gangs to switch strategies to make their attacks more profitable.
Changing tactics of data-theft attacks
Different extortion attacks have varying opportunity costs reflected by the amount of effort and investments required to conduct an attack compared to the expected ransom demand. Coveware explains that extortion attacks with the lowest complexity and automation have the least impact on victims and cost to the attackers. This is reflected in the ransom demands, with phantom attacks (social engineering), DB wiping with ransoms, and NAS encryption attacks like Qlocker, having generally low ransom demands due to automation and lack of complexity in the attacks.
However, more complicated and time-consuming attacks with more significant impact generate far greater ransom demands, usually in the millions. On May 27th, the Clop ransomware gang began widespread data-theft attacks exploiting a zero-day vulnerability in the MOVEit Transfer secure file transfer platform. These attacks are expected to impact hundreds of companies worldwide, with many having already notified their affected customers over the past two months.
Clop’s new extortion strategy
Coveware says that extortion attacks focusing only on data theft have decreased payments over time, with victims rather disclosing the attacks and issuing data breach notifications than paying the threat actors. Clop has changed its extortion strategy by demanding far more significant ransom demands than previously seen in data exfiltration attacks, hoping that a few large payments will overcome the overall decline. According to Coveware’s estimation, only a few MOVEit data-theft victims are likely to pay. Nevertheless, Clop is still expected to amass an impressive $75-100 million solely from these payments, given the substantial ransom demands.
Decrease in Ransomware-as-a-Service operations
Coveware has also seen a shift when it comes to ransomware encryption attacks. There has been a dramatic reduction in Ransomware-as-a-Service operations targeting small enterprises, as getting ransom payments has become much more challenging. As a result, smaller ransomware operations such as Dharma and Phobos have seen a decrease of nearly 37% in attacks in 2023. Instead, Coveware has observed a shift among more affiliates within these groups, as they transition to the new 8base ransomware operation which uses the Phobos encryptor to target enterprises in larger-scale attacks.
The Clop ransomware gang is expected to earn a staggering amount of money from their MOVEit data theft campaign. Their new extortion strategy of demanding larger ransom demands is a response to the decline in victims paying ransoms. The changing tactics of data-theft attacks and the decrease in Ransomware-as-a-Service operations have also contributed to the shift in ransomware encryption attacks.