When I was younger there was an Army Surplus store near my house that I frequented. My favorite shirt there had the phrase, “Kill ‘em all let God sort ‘em out.” Which 10 year old me thought was great. My mother, wise woman that she was, refused to let me buy it.

The phrase allegedly has ties to the Albigenisen Crusade dating to the 13th century. I’ve been thinking about this phrase a lot lately, because that is essentially how Cl0p handled the MoveIT breach: They hit as many vulnerable systems as quickly as they could, planning on sorting the victim data out later. In fact in early June Cl0p told victims to e-mail them. That wasn’t a power move by Cl0p, they simply didn’t know who all the victims were.

Now that we are two months into this with new victims still being announced, we see that Cl0p’s sorting strategy is to find the biggest company/organization name in the sorted victim data and call that entity out. Eduard Kovacs has an article in Security Week this morning saying that Cl0p may earn as much as $100 million from this breach. That may be correct, there are already 400 announced victims and we know that roughly 25-30% of victims to pay a ransom. That would mean rough 120 victims paid an $830,000 ransom. That’s actually not unreasonable.

The challenge is that this is such an unusual case we don’t know if the standard numbers apply. As Kovacs points out, Cl0p is pulling out all the stops to get paid including setting up clearnet sites shame EY and PwC. These tactics, including the slow drip of victim data, keep the breach in the public eye and bring more attention to each victim announced, but is it enough to coerce victims into paying?

Maybe? We think there have been a couple of high profile victims who have paid, and likely paid large ransoms, but overall I am unsure how many victims have paid. Of course, it doesn’t matter in the end, if a few high profile victims pay a ransom that is enough for Cl0p (and other ransomware groups) to try this again and again and again.