June 27 (Reuters) – The cl0p ransomware gang is claiming a new set of victims from its hack of the MOVEit file transfer protocol, taking credit on Tuesday for having stolen data from the University of California, Los Angeles, Siemens Energy (ENR1n.DE), Abbvie Inc (ABBV.N) and Schneider Electric (SCHN.PA), among others.

The total number of recent victims from the online extortion ring has reached 121 organizations, according to Brett Callow, whose cybersecurity company Emsisoft helps companies respond to digital shakedown attempts. He said that at least 15 million people were affected.

Here’s what is known about cl0p and its recent rampage.

Who are the hackers?

Cl0p’s identity and location are not publicly known. But security researchers say the group is Russia-linked or Russian-speaking and its name could be a play on the Russian word for “bug.” In 2021, Ukrainian authorities announced the arrests of six people tied to cl0p, but it’s not clear that they were core members of the group, which continued to hack victims.

Cl0p is a ransomware-as-a-service gang, meaning that it hires out its software and infrastructure for other cybercriminals in return for a cut of the proceeds.

The group helped pioneer the practice of double-extortion, where cybercriminals take files hostage by encrypting them – then threaten to leak them online unless a payment is made. Japanese cybersecurity firm TrendMicro described cl0p as “a trendsetter for its ever-changing tactics.”

The hackers – who sometimes spell their name “CLOP” – didn’t immediately return an email seeking comment.

How did they rack up so many victims?

Cl0p was able to take advantage of a previously undiscovered flaw in a popular file transfer program – MOVEit Transfer – to steal data from a wide swathe of organizations, some of whom in turn were handling data belonging to yet more organizations.

Plundering file transfer protocols has become increasingly popular as hackers shift from encrypting data to simply stealing files and threatening to release them unless a ransom is paid.

If a victim doesn’t pay, cl0p posts their identity to its darknet site – a name-and-shame tactic that has been playing out over the past several weeks.

Who has been…