This article is more than 1 year old

After oil giant Shell hit by Clop ransomware gang, workers' visas dumped online as part of extortion attempt

Another day, another data nightmare

Updated Royal Dutch Shell is the latest corporation to be attacked by the Clop ransomware gang.

The extortionists siphoned sensitive documents from a software system used by the oil giant, and have now leaked online some of the data – notably a selection of workers' passport and visa scans – to chivy the corporation along to cough up a ransom. The idea being that if the ransom is paid, no more data will be dumped in public.

Earlier this month, the oil giant admitted a file-transfer application had been compromised, writing in a statement that “an unauthorized party gained access to various files during a limited window of time.”

It attempted to downplay the impact noting that “there is no evidence of any impact to Shell’s core IT systems,” and the server accessed was “isolated from the rest of Shell’s digital infrastructure.” But it did acknowledge that the crooks had probably grabbed “some personal data and... data from Shell companies and some of their stakeholders.”

The Bombardier C-Series jet assembly line in Canada

Clop ransomware gang leaks online what looks like stolen Bombardier blueprints of GlobalEye radar snoop jet


To encourage Shell to pay off the thieves and prevent further stolen data from leaking, the gang has now uploaded to its Tor-hidden website a selection of documents, including scans of purported Shell employees’ US visas as well as a passport page and files from its American and Hungarian offices.

We're not sharing a link to the material for obvious reasons.

The theft and pressure tactics are just the latest in a string of crimes by the Clop gang, which has been primarily going after organizations that deployed vulnerable versions of Accellion's legacy file-transfer appliance, exploiting the software to steal internal information. And so it's no surprise to see the oil giant note: "Shell has been impacted by a data security incident involving Accellion’s File Transfer Appliance. Shell uses this appliance to securely transfer large data files."

A spokesperson for Shell was not available for immediate comment on the aforementioned leaks.

Earlier this month, files from infosec outfit Qualys, including purchase orders, appliance scan results, and quotations also appeared on the extortionists' hidden site. And it's far from alone.

Other victims include Canadian aerospace firm Bombardier, which saw details of a military-grade radar leaked, London ad agency The7stars, and German giant Software AG.

And to pile on the pressure, the Clop gang now emails the customers of its victims, warning that data has been stolen and will be leaked if a ransom isn't paid, in an attempt to get said clients to demand the extortionists are paid off to keep quiet, reported BleepingComputer. ®

Updated to add

A PR person for Shell has been in touch to stress once again that the oil giant's Accellion deployment was specifically attacked by thieves rather than its IT systems as a whole. Also, while the Clop gang has in the past infected victims with ransomware, which scrambles files and demands a ransom to restore them, in this case, the crooks simply stole information, according to the Shell spinner.

"A cyber incident impacted a third-party, Accellion, software tool called the File Transfer Appliance (FTA) which is used within Shell," she told us.

"Criminal hackers gained access to files sent by users of the Accellion tool in a short period of time. The incident was isolated to Accellion’s tool and there is no evidence that it affected Shell’s own IT systems. The compromised servers were rebuilt and brought into service with a new Accellion security patch. The security patch closes the vulnerabilities and enhances security controls to detect new attacks." ®

More about

More about

More about


Send us news

Other stories you might like