The infamous Clop ransomware organization stands to make a staggering $100m from their latest data ransom campaign, following payment of large sums by a minority of victims. This alarming prediction comes from Coveware, a top security firm.

Coveware’s fresh report indicates that the cybercrime organization escalated its average ransom request substantially during this recent onslaught.

A company-wide effect from the MOVEit campaign is predicted, with over 1000 companies directly impacted, and ten times that number indirectly. Yet, only an exceedingly minor percentage of victims even considered entering negotiations or paying the ransom, according to the report.

Those who decided to pay, disbursed significantly larger sums than in previous Clop campaigns, and many times over the typical global ransom sum of $740,144 (+126% from Q1 2023).

Coveware’s assessment sets the total Clop booty at a vast $75–100m, a sum gathered “from merely a select few victims who conceded to extremely high ransom payments.”

The security firm voiced concern over such an enormous and threatening sum of money in the hands of a single, comparatively minor group. To put the scale of this sum in perspective, Coveware pointed out that it exceeds Canada’s yearly offensive security budget.

Notoriously, Clop exploited a zero-day flaw in the MOVEit file transfer software, thieving data from an innumerable number of its corporate users. Coveware interprets this strategy as a reaction to the declining profitability of traditional ransomware attacks.

Indeed, the proportion of attacks leading to payment by the victim hit a historic low of 34% in the second quarter, according to Coveware’s statistics.

Criminal groups are now refocusing their sights on larger victim organizations, aiming for heftier payouts. Concurrently, there’s a significant decline in encryption attacks by RaaS groups targeting smaller enterprises.

Coveware further observed that with the increasing difficulty in securing payment from an encryption attack, two trends have emerged. Firstly, certain ransomware families like Dharma and Phobos, which have consistently been among the top 10 most active groups over the years, have now become dormant.

Secondly, it appears the more technically skilled affiliates that had been using Dharma and/or Phobos have shifted to a new ransomware toolkit named 8base.