According to Coveware, the infamous Clop ransomware gang may have made as much as $100 million in recent data extortion campaigns because a handful of victims paid the group so much money.
In a new report, the security vendor claimed that Russian cybercrime groups “dramatically increased” average ransom demands during the campaign.
Read more about Clop: Clop ransom gang compromises celebrities via MOVEit flaw
“Although the MOVEit campaign could ultimately affect more than 1,000 businesses directly, and indirectly by orders of magnitude, the small fraction of victims would not bother to negotiate, let alone consider paying,” the report notes.
“Companies that did pay were significantly more than previous Clop campaigns, several times the global average ransom of $740,144 (up 126% from Q1 2023).”
Coveware estimated Klopp’s total damages at between $75 million and $100 million, and said the sum came from “a handful of victims who succumbed to paying very high ransoms.”
“This is a dangerous and staggering amount of money for one relatively small group to own. By the way, this amount is larger than Canada’s annual offensive security budget,” Coveware added.
Clop famously exploited a zero-day vulnerability in MOVEit file transfer software to steal data from countless corporate users using the tool. Coveware says this tactic can be seen as a response to the fact that traditional ransomware attacks are becoming harder to monetize.
In fact, the percentage of attacks that resulted in victims paying compensation fell to a record low of 34% in the second quarter.
Threat groups are again targeting large victim organizations to secure bigger rewards, and crypto attacks by RaaS groups targeting small and medium-sized businesses have “decreased dramatically.”
“As it becomes harder to get rewarded from cryptographic attacks, there are two reactions. First, groups like Dharma and Phobos (ransomware families that have ranked in the top 10 most active groups quarterly for years) have gone dormant,” said Coveware.
“Second, we observed that more technologically sophisticated affiliates that previously used both Dharma and Phobos began using a new ransomware kit called 8base.”