// overview
What happened
On May 31, 2023, Progress Software disclosed CVE-2023-34362 — a critical SQL injection vulnerability in its MOVEit Transfer managed file-transfer product, widely deployed by enterprises and government agencies for sensitive file movement. Patches were released the same day.
By the time of disclosure, the Cl0p crew had already been exploiting the bug for at least four days. The attack chain: SQL injection to authenticate, then upload of a LEMURLOOT ASP.NET web shell to enumerate and exfiltrate every file stored on the MOVEit instance. There was no ransomware payload — only data theft and a follow-up extortion email.
Because MOVEit was deployed by HR-payroll service providers (Zellis in the UK, Genesys), state DMVs (Oregon, Louisiana, Colorado), pension administrators (Aon), and Fortune 500 enterprises, a single zero-day cascaded into roughly 2,700 victim organisations. Estimates of the number of individuals whose data was exposed climbed to approximately 95 million.
Cl0p posted victim names to its leak site through summer 2023 and demanded payment by July 14. The campaign reset expectations of how broadly a single managed-file-transfer zero-day could be monetised — and accelerated industry attention on the security of MFT, EDI, and similar 'in-between' tools that hold sensitive data while moving it.
// timeline
How it unfolded
May 27, 2023
Earliest observed exploitation of MOVEit zero-day.
May 28–30, 2023
Cl0p mass-deploys LEMURLOOT web shells; exfiltrates customer file stores.
May 31, 2023
Progress Software discloses CVE-2023-34362 and issues patches.
Jun 2023
Cl0p publicly announces it has exploited MOVEit; begins listing victims on leak site.
Jul 2023
BBC, BA, Boots (UK) confirm Zellis-mediated breach; US Department of Energy among federal victims.
Through 2024
Victim count climbs to ~2,700 organisations and ~95M individuals.
// damage
Impact and scale
Cl0p inverted the ransomware model: no encryption, only exfiltration and pure extortion. By targeting a single widely-used file-transfer product they hit hundreds of organisations from one exploit — exposing payroll records held by service providers like Zellis, government employee data from US state DMVs, and pension data from Aon-administered plans. It demonstrated that a 'data-only' breach can be more efficient (and quieter) than encryption-based ransomware.
// affected
Who was hit
- Zellis-mediated payroll customers: BBC, British Airways, Boots, Aer Lingus
- US Department of Energy, Department of Health and Human Services, Department of Agriculture
- Oregon, Louisiana, and Colorado state DMVs
- Shell, Ernst & Young, PwC, Sony, Siemens, TIAA, Aon-administered pensions
// lessons
Key takeaways
- Managed file-transfer products handle your most sensitive data in motion — they deserve the same scrutiny as your core database.
- Pure exfiltration-extortion is now a stable business model; backups do not save you from data-only ransomware.
- A single zero-day in a B2B integration product can cascade through hundreds of downstream organisations.
- Third-party risk management has to include the long tail of niche enterprise software — not just the obvious SaaS giants.
