Introduction
In the last week of May 2023, the Clop ransomware gang launched a coordinated mass exploitation campaign against MOVEit Transfer, a managed file transfer application made by Progress Software. They exploited a zero-day SQL injection vulnerability — CVE-2023-34362 — that allowed unauthenticated attackers to access MOVEit databases and steal data. No ransomware was deployed. They didn't need it. They simply stole everything and threatened to publish it.
The scale was unprecedented: over 2,600 organizations and more than 77 million individuals were affected. Victims included the US Department of Energy, Shell, British Airways, the BBC, Ernst & Young, Johns Hopkins University, and hundreds of other organizations that either used MOVEit directly or were exposed through third-party service providers.
What Happened
MOVEit Transfer is enterprise software used by organizations to securely send and receive sensitive files — payroll data, financial records, healthcare information, and other critical business files. It's the kind of software most people never hear about but that organizations rely on daily.
Clop had been testing the vulnerability since at least 2021, patiently probing MOVEit installations. When they launched the attack over the 2023 US Memorial Day weekend — a time when many security teams operate with skeleton crews — they used automated tools to exploit every internet-facing MOVEit instance they could find. The SQL injection vulnerability allowed them to deploy a web shell called LEMURLOOT, which provided persistent access to compromised servers and the ability to exfiltrate data directly from the underlying databases.
Unlike traditional ransomware attacks, Clop didn't encrypt any files. Their strategy was pure extortion: steal sensitive data and threaten to publish it on their dark web leak site unless the victim paid. This approach eliminated the need for the noisy encryption phase that often triggers security alerts.
The Impact
The victim list reads like a Fortune 500 directory crossed with a government agency roster. Maximus, a US government contractor, had 11 million records exposed. The Colorado Department of Health Care Policy and Financing reported 4 million affected individuals. The Oregon and Louisiana DMVs had millions of driver's license records stolen.
Total financial damages have been estimated at over $10 billion. Hundreds of class-action lawsuits were filed. Progress Software's stock initially dropped but recovered as insurance and legal defenses were mounted. Clop is believed to have earned hundreds of millions of dollars from the campaign.
The attack demonstrated the cascading risk of supply chain dependencies: organizations that had never even heard of MOVEit were compromised because their payroll provider, their insurance company, or their government contractor used it.
How to Protect Yourself
The MOVEit attack highlighted the risk of internet-facing file transfer applications. Organizations should minimize the exposure of such systems, implement strict access controls, and monitor for unusual database activity. Web application firewalls (WAFs) can help detect and block SQL injection attempts.
More broadly, organizations need to understand their supply chain dependencies. If your payroll provider uses MOVEit, your employees' data is at risk even if you've never installed the software yourself. Vendor security assessments, contractual data protection requirements, and data minimization practices are essential.
For individuals, the same advice applies as with any mass breach: monitor your accounts, use credit freezes, watch for phishing attempts that leverage stolen data, and assume that your personal information has been compromised at least once.
The Bigger Picture
The MOVEit campaign represents the evolution of ransomware into something more efficient and more dangerous: mass automated exploitation followed by pure data extortion. No encryption, no negotiation for decryption keys — just stolen data and a countdown timer. Clop proved that this model scales, and it scales profitably. The attack forced the industry to reckon with a uncomfortable truth: the enterprise software that handles our most sensitive data is often the least examined, the least monitored, and the most exposed.
