Cl0p Ransomware Gang Leaks MOVEit Data on Clearweb Sites

The Cl0p Ransomware Gang has begun its clearweb journey by leaking data stolen from

At the time of writing, the clearweb domain of the Cl0p Ransomware Gang was offline; however, the gang’s entry to the clearweb reveals upcoming cybersecurity threats intended for their victims.

The Cl0p ransomware gang is among the cybercrime syndicates that have exploited the MOVEit vulnerability more extensively than any other. To exacerbate the situation, the ransomware gang is now leaking the data it stole through the MOVEit vulnerability on its clearweb domain.

According to security researcher Dominic Alvieri, the Cl0p ransomware gang is leaking the data they stole from the MOVEit Transfer platform in May on the publicly accessible website. The gang exploited a zero-day vulnerability in the secure file transfer platform, leading to a data breach that drastically impacted hundreds of businesses and government institutions worldwide. 

Cl0p has dumped the data as large downloadable files instead of opting for specific searchable items and didn’t host the site on the Tor network, as has been the case in many previous data leaks.

Cl0p Ransomware Gang Leaks MOVEit Data on Clearweb Sites
Screenshot from Cl0p’s dark web domain (Image credit:

What is the difference between Clearweb and Dark Web

The Clearweb, also known as the Surface Web or Visible Web, refers to the part of the internet that is easily accessible and indexed by search engines like Google. It includes websites and web pages that can be accessed through standard web browsers without requiring any special configurations.

On the other hand, the Dark Web is a portion of the internet that is intentionally hidden and not indexed by traditional search engines. Accessing the Dark Web requires specialized software, such as the Tor browser, which provides anonymity and encryption.

This anonymity allows users to access hidden websites that use “.onion” domains. The Dark Web is often associated with illicit activities, illegal marketplaces, and anonymous forums where users can communicate without revealing their identities.

It is worth noting that Cl0p has recently developed this tactic to blackmail their victims where the gang creates Clearnet websites hosted on the surface web to leak stolen data. They first tried this tactic to leak data stolen from the PWC business consulting firm, which was uploaded in four spanned ZIP archives. Later Cl0p used the same tactic for leaking data from TD Ameritrade, Aon, Kirkland, and Ernest & Young.

Screenshot from Cl0p’s clearweb domain (Image credit:

Perhaps, the Cl0p ransomware gang believes it to be a more effective method for extorting victims (even though such websites get quickly removed). Leaking data on Tor-hosted darknet platforms has lost the charm given their restricted reach.

Although Tor offers anonymity, not all users can access the sites without a specialized browser, whereas, on the surface web, anyone having the website link can download the stolen data.

Another reason is that search engines don’t index darknet content, so, download speed is usually pretty slow, whereas, on Clearweb, the site gets indexed, and downloading is quicker. Nonetheless, this tactic is more detrimental for the victims as they become vulnerable to harassment and online scams from all fronts.

Cl0p is among the most notorious hacking gangs currently having successfully targeted high-profile firms and extracted millions of dollars in ransom. Per Coveware’s latest report, the gang has raked in $75-$100 million from their latest MOVEit attacks. Coveware CEO Bill Siegel noted that only a handful of Cl0p’s victims generally give in to their demands.

Therefore, the hackers are using different extortion strategies. Siegel also noted that MOVEit attacks have proven far more successful than GoAnywhere data theft, where the hackers could breach 130 victims and didn’t receive their desired ransom as well.

As expected, all Clearweb extortion sites created by the Cl0p ransomware gang have been taken offline, proving the short-lived nature of this method. Security researchers highlighted that Cl0p’s latest site lacks the sophistication seen in the approach used by the rival ALPHV ransomware gang, aka BlackCat, which introduced this method to pressurize their victims more profoundly.

  1. Big Head Ransomware Found in Fake Windows Updates
  2. LockBit Ransomware Expands Attack Spectrum to Mac Devices
  3. Genesis Market’s Clearnet domain seized; Dark Web site still online
Related Posts