In late May 2023, the Clop ransomware group began mass-exploiting a zero-day SQL injection vulnerability in MOVEit Transfer, a managed file transfer (MFT) application used by thousands of organizations worldwide. Within weeks, the campaign had compromised over 2,500 organizations and exposed the personal data of an estimated 65 million individuals. It was the most impactful single ransomware campaign in history — and notably, it didn't use any ransomware at all.
Clop's MOVEit campaign represented an evolution in the threat landscape: a ransomware group that had figured out that mass data theft through supply chain software was more profitable than encrypting individual networks.
The MOVEit Vulnerability
The vulnerability, tracked as CVE-2023-34362, was a SQL injection flaw in MOVEit Transfer's web interface. The technical details were straightforward but devastating:
- An unauthenticated attacker could submit specially crafted SQL queries to the MOVEit Transfer web application
- The SQL injection allowed the attacker to deploy a web shell (named LEMURLOOT by researchers) on the server
- The web shell provided persistent access and the ability to enumerate files, download stored data, and extract Azure Blob Storage credentials
- The attack required no authentication, making mass exploitation trivial once the vulnerability was identified
MOVEit Transfer, developed by Progress Software, was widely used for secure file transfer in regulated industries — financial services, healthcare, government, and legal. Organizations used it precisely because they needed a secure way to transfer sensitive data. The irony was sharp.
Clop's Strategic Evolution
To understand the MOVEit campaign, you need to understand how Clop evolved. The group had been active since at least 2019, initially operating as a traditional ransomware operation — compromising networks, encrypting files, demanding ransoms. But Clop gradually shifted strategy.
Accellion FTA (2020-2021)
Clop's first major MFT exploitation targeted Accellion FTA, compromising multiple organizations through zero-day vulnerabilities in the legacy file transfer appliance. This campaign established the template: identify widely-deployed file transfer software, develop or acquire exploits, conduct mass exploitation, and extort victims based on stolen data.
GoAnywhere MFT (January 2023)
In early 2023, Clop exploited CVE-2023-0669 in Fortra's GoAnywhere MFT, compromising approximately 130 organizations. The attack refined the mass exploitation playbook and demonstrated that the Accellion campaign wasn't a one-off.
MOVEit Transfer (May 2023)
The MOVEit campaign was the culmination of this strategic arc — the largest and most efficient mass exploitation campaign yet.
Campaign Timeline
Before May 27, 2023: Evidence suggests Clop had been testing the MOVEit vulnerability as early as July 2021, with intermittent testing activity observed in April 2022 and April 2023. The group was methodical in their preparation.
May 27-28, 2023 (Memorial Day weekend): Mass exploitation began during the US holiday weekend, a deliberate timing choice to minimize the chance of detection during initial data theft.
May 31, 2023: Progress Software issued an advisory and patch for CVE-2023-34362. By this point, Clop had already compromised hundreds of servers and stolen data.
June 5-6, 2023: Clop began posting on their leak site, claiming credit for the campaign and instructing victims to contact them.
June-August 2023: Additional MOVEit vulnerabilities were discovered (CVE-2023-35036, CVE-2023-35708), complicating remediation. Clop continued posting stolen data from non-paying victims.
The Supply Chain Cascade
The MOVEit campaign's impact was amplified by supply chain relationships. Many organizations used MOVEit not just for their own file transfers but as part of service delivery to their clients. When a service provider's MOVEit instance was compromised, data from all of their clients was exposed.
Key examples of this cascade:
Zellis: A UK payroll provider used MOVEit to transfer payroll data. When Zellis was compromised, employee data from their clients — including the BBC, British Airways, and Boots — was exposed.
PBI Research Services: This company provided data to pension funds and financial services firms. Their MOVEit compromise exposed data from CalPERS, the largest public pension fund in the US, along with multiple other pension systems.
Maximus: A government services contractor that used MOVEit was compromised, exposing data from millions of Medicare beneficiaries.
National Student Clearinghouse: Their MOVEit compromise exposed student data from nearly 900 colleges and universities.
In each case, the end victims — employees, retirees, students, patients — had no relationship with MOVEit Transfer and no ability to protect themselves. Their data was exposed because an organization they trusted used a file transfer tool with a vulnerability that a ransomware group had weaponized.
No Encryption, All Extortion
The MOVEit campaign was notable for what Clop didn't do: they didn't deploy ransomware. There was no file encryption, no operational disruption from crypto-locking systems. The entire operation was data theft and extortion.
This shift reflected a calculation: mass data theft through a single vulnerability was more efficient than deploying ransomware across thousands of individual networks. Encryption requires post-exploitation work — disabling security tools, achieving domain admin access, deploying payloads across networks. Data theft from a file transfer server requires only exploiting the vulnerability and downloading files.
The extortion model was pure data exposure: pay or your stolen data gets published. Clop set up both Tor hidden services and clear-web sites for publishing stolen data, maximizing the visibility and pressure on victims.
Impact by the Numbers
The MOVEit campaign's scale was staggering:
- 2,500+ organizations confirmed compromised
- 65+ million individuals whose personal data was exposed
- $10+ billion in estimated total costs (remediation, legal, regulatory)
- Organizations affected across 30+ countries
- Victims spanning government, healthcare, financial services, education, and technology sectors
The financial impact on Progress Software was significant as well — the company faced numerous lawsuits and regulatory inquiries, and their stock price dropped substantially following the disclosure.
Defensive Takeaways
The MOVEit campaign reinforced several critical lessons:
File transfer applications are high-value targets. Any software that handles sensitive data transfers is inherently attractive to attackers. Organizations should treat MFT solutions with the same security rigor as internet-facing web applications.
Patch speed matters, but zero-days give attackers a head start. By the time a patch was available, Clop had already completed their initial exploitation wave. Detection capabilities and incident response plans are essential for the period between exploitation and patch availability.
Supply chain data flows create unexpected exposure. Organizations whose data was stolen from third-party MOVEit instances had no direct relationship with the vulnerable software. Understanding where your data flows — and through which third-party systems — is essential for risk management.
The ransomware threat model is evolving. Traditional ransomware defenses focused on preventing encryption and maintaining backups. Clop's data theft campaigns require a different defensive posture centered on data loss prevention and monitoring for unauthorized access.
How Safeguard.sh Helps
The MOVEit campaign is a textbook case for supply chain security. A vulnerability in a single file transfer tool cascaded through thousands of organizations, exposing data from millions of individuals who had no direct relationship with the vulnerable software.
Safeguard.sh provides the supply chain mapping needed to understand these cascading risks. By maintaining comprehensive SBOMs and tracking software components across your organization, the platform helps you identify which systems use vulnerable components — including third-party tools like MFT solutions that might not be on your radar.
The platform's continuous vulnerability monitoring means that when a critical flaw like CVE-2023-34362 is disclosed, you get immediate visibility into whether you're exposed — directly through your own deployments or indirectly through vendor dependencies. In a campaign like MOVEit, where the window between exploitation and patch availability measured in days, this speed of awareness is the difference between proactive response and discovering your exposure in a Clop leak posting.