Inside CL0P’s MOVEit Campaign: Zero Days, Data Theft, and an Industry-Wide Response

In May 2023, the ransomware group CL0P initiated one of the most impactful supply chain cyberattacks in recent memory, exploiting a zero-day vulnerability in the popular MOVEit file transfer software. Operating with stealth and speed, CL0P weaponized the vulnerability to exfiltrate data from what it claimed was over 650 MOVEit customers globally. In the weeks that followed, without deploying traditional ransomware payloads, CL0P extorted at least $75 million from victim companies after threatening to leak stolen data.

This session will start by exploring how CL0P began exploiting the MOVEit vulnerability, detailing the tactics they employed to maximize reach and avoid early detection. Then, the session will move to industry’s perspective, walking through and presenting lessons learned from Chevron’s internal response to ensuring its networks were protected. Finally, the session will discuss what has made CL0P more durable than other ransomware groups, and how it remains a threat today.

‍

Key takeaways will include:

• How legacy third-party assessments failed to flag exposure
• What early signals could have provided warning, including an updated look at how recent AI advancements could have improved detection
• Why the group’s “data-only” extortion model created early-days confusion
• How coordination among legal, comms, and IT teams affected response
• Concrete improvements adopted post-incident
• Attendees will leave with actionable insights for defending against future supply chain attacks, where ransomware is headed next, and building resilience in the face of the increasingly professional ecosystem of cyber crime.