What Happened
Beginning on May 27, 2023, the Cl0p (TA505) ransomware group exploited a zero-day SQL injection vulnerability (CVE-2023-34362) in Progress Software’s MOVEit Transfer, a widely used managed file transfer application. The campaign compromised over 2,700 organizations and exposed personal data of more than 95 million individuals worldwide, making it one of the largest mass exploitation events in cybersecurity history.
Cl0p did not deploy ransomware in this campaign. They focused exclusively on data theft and extortion, stealing data from MOVEit Transfer servers and threatening to publish it unless victims paid.
How They Did It
Cl0p exploited CVE-2023-34362, a SQL injection vulnerability in MOVEit Transfer’s web application, to gain unauthorized access to MOVEit databases. Attackers deployed a web shell named LEMURLOOT on compromised MOVEit Transfer servers for persistent access. Cl0p automated data theft across hundreds of MOVEit Transfer instances simultaneously, then listed victims on their leak site and gave them deadlines to negotiate payment.
Evidence suggests Cl0p had been testing the MOVEit vulnerability since at least July 2021, with active exploitation beginning during the Memorial Day holiday weekend in May 2023 to maximize dwell time before detection.
Major Victims
BORN Ontario lost 3.4 million healthcare records from their newborn and child registry. Maximus, a government services contractor, lost 11 million records. Welltok lost 8.5 million healthcare records. Delta Dental lost 7 million healthcare and insurance records. The US Department of Energy, Shell, BBC, British Airways (34,000 employees), Ernst & Young, and Siemens Energy were all compromised with undisclosed record counts.
Over 80% of affected organizations were in the United States, and the government and healthcare sectors were disproportionately impacted.
Timeline
The earliest evidence of Cl0p testing MOVEit exploitation dates to July 2021. Mass exploitation began over the Memorial Day weekend on May 27, 2023. Progress Software disclosed CVE-2023-34362 and released patches on May 31. CISA added the vulnerability to their Known Exploited Vulnerabilities catalog on June 2. Cl0p claimed responsibility on their leak site on June 6. A second MOVEit vulnerability (CVE-2023-35036) was discovered and patched on June 9, followed by a third (CVE-2023-35708) on June 15. The victim count passed 500 organizations in July 2023 and exceeded 2,600 by December 2023. Final tallies reached over 2,700 organizations and 95 million individuals in 2024.
Financial Impact
Cl0p’s estimated revenue from the MOVEit campaign reached $75-100 million in extortion payments. Progress Software faced multiple class-action lawsuits and an SEC investigation, though its stock price largely recovered. Individual victim organizations incurred costs for notification, credit monitoring, legal defense, and regulatory fines. Emsisoft estimated the total economic impact across all victims in the billions of dollars.
Why MOVEit Mattered
Cl0p demonstrated that zero-day exploitation of widely deployed enterprise software could be industrialized. They compromised thousands of organizations simultaneously through a single vulnerability, then extorted each individually. This model has since been replicated against other file transfer tools including GoAnywhere and Cleo.
Managed file transfer applications are high-value targets because they are designed to transfer sensitive data and are often exposed to the internet. The MOVEit campaign followed Cl0p’s earlier exploitation of Accellion FTA (2020-2021) and GoAnywhere MFT (2023).
Key Lessons
Internet-facing file transfer applications require aggressive patching, monitoring, and hardening, as they are prime targets for mass exploitation. Zero-day exploitation windows are shrinking but still devastating, since Cl0p had years to prepare and struck on a holiday weekend. Data-theft-only extortion without encryption is an effective and lower-risk model for attackers. MFT applications should be segmented from internal networks and monitored for anomalous data access patterns.