The notorious Clop ransomware gang may earn as much as $100m from its recent data extortion campaign, after a small number of victims paid the group large sums of money, according to Coveware.
The security vendor claimed in a new report that the Russian cybercrime group “dramatically increased” its average ransom demand during the campaign.
Read more on Clop: Clop Ransom Gang Breaches Big Names Via MOVEit Flaw
“While the MOVEit campaign may end up impacting over 1000 companies directly, and an order of magnitude more indirectly, a very, very small percentage of victims bothered trying to negotiate, let alone contemplated paying,” the report noted.
“Those that did pay, paid substantially more than prior Clop campaigns, and several times more than the global average ransom amount of $740,144 (+126% from Q1 2023).”
Coveware estimates the total haul for Clop at $75–100m, with that amount coming “from just a small handful of victims that succumbed to very high ransom payments.”
“This is a dangerous and staggering sum of money for one, relatively small group to possess. For context, this amount is larger than the annual offensive security budget of Canada,” Coveware added.
Clop famously exploited a zero-day vulnerability in the MOVEit file transfer software to steal data from countless corporate users of the tool. This tactic could be seen as a response to the fact that traditional ransomware attacks are getting harder to monetize, according to Coveware.
In fact, the percentage of attacks that resulted in the victim paying, fell to a record low of 34% in the second quarter, it said.
Threat groups are targeting larger victim organizations again in order to secure a bigger payout, and there’s been a “dramatic reduction” in encryption attacks from RaaS groups targeting small enterprises.
“As successfully getting paid from an encryption attack has become harder, there have been two reactions. First, groups like Dharma and Phobos – ransomware families that have historically held a spot in the top 10 most active groups quarter over quarter for years – have become dormant,” Coveware said.
“Second, it was observed that the more technically sophisticated affiliates that previously used both Dharma and/or Phobos have begun using a new ransomware kit called 8base.”