After Oil giant Shell hit by Clop ransomware, workers’ visas dumped online as part of extortion attempt

Royal Dutch Shell is the latest corporation to be infected by the Clop ransomware. The criminals behind the malware have siphoned internal documents from the oil giant, and publicly leaked some of the data – notably a selection of workers’ passport and visa scans – to chivy the corporation along to pay the ransom.

Earlier this month, the oil giant admitted its systems had been compromised, writing in a statement that “an unauthorized party gained access to various files during a limited window of time.”

It attempted to downplay the impact noting that “there is no evidence of any impact to Shell’s core IT systems,” and the server accessed was “isolated from the rest of Shell’s digital infrastructure.” But it did acknowledge that the crooks had probably grabbed “some personal data and… data from Shell companies and some of their stakeholders.”

The Bombardier C-Series jet assembly line in Canada

Clop ransomware gang leaks online what looks like stolen Bombardier blueprints of GlobalEye radar snoop jet

READ MORE

To encourage Shell to pay a ransom to not only decrypt any files scrambled by Clop but also to prevent their leakage by the thieves, we noted on Monday the gang has uploaded to its Tor-hidden website a selection of documents, including scans of purported Shell employees’ US visas as well as a passport page and files from its American and Hungarian offices. The idea being that if the ransom, typically in cryptocurrencies, is paid, no more data is dumped online.

We’re not sharing a link to the material for obvious reasons.

The theft and pressure tactics are just the latest in a string of crimes by the Clop gang, which has been primarily going after organizations that deployed vulnerable versions of Accellion’s legacy file-transfer appliance, exploiting the software to steal internal information. And so it’s no surprise to see the oil giant note: “Shell has been impacted by a data security incident involving Accellion’s File Transfer Appliance. Shell uses this appliance to securely transfer large data files.”

A spokesperson for Shell was not available for immediate comment on the aforementioned leaks.

Earlier this month, files from infosec outfit Qualys, including purchase orders, appliance scan results, and quotations also appeared on the extortionists’ hidden site. And it’s far from alone.

Other victims include Canadian aerospace firm Bombardier, which saw details of a military-grade radar leaked, London ad agency The7stars, and German giant Software AG.

And to pile on the pressure, the Clop gang now emails the customers of its victims, warning that data has been stolen and will be leaked if a ransom isn’t paid, in an attempt to get said clients to demand the extortionists are paid off to keep quiet, reported BleepingComputer. ®

Thanks to threat analyst Brett Callow of security biz Emsisoft for pointing out the appearance of Shell employee data on Clop’s hidden site.