May 2026 monthly report: ransomware and the MOVEit three-year retrospective
Three years on from CVE-2023-34362 (MOVEit Transfer SQLi) and the Cl0p mass-exploitation campaign that defined modern data-exfiltration ransomware. Plus the 2024-2025 ransomware retrospective: LockBit takedown, BlackCat exit-scam, and what survives them.
Three years since MOVEit
May 26, 2023 - Progress Software disclosed CVE-2023-34362, a SQL injection in MOVEit Transfer that allowed unauthenticated remote attackers to access MOVEit databases. Within days, the Cl0p ransomware group (FIN11) was running mass-exploitation against thousands of MOVEit Transfer instances simultaneously, stealing customer data for double-extortion. The campaign affected an estimated 2,700+ organisations and 95+ million individuals over the following 18 months.
Three years on, MOVEit defines what data-exfiltration ransomware looks like at scale: one CVE, weaponised globally, against a single product line that turned out to be a foothold into thousands of customer environments at once.
The 2023-2025 ransomware retrospective
| Event | Date | Significance |
|---|---|---|
| MOVEit / Cl0p | May 2023 | Mass data-exfiltration model |
| Citrix Bleed (CVE-2023-4966) | Oct 2023 | Session token theft → ransomware |
| Change Healthcare | Feb 2024 | Industry-wide healthcare disruption |
| ScreenConnect (CVE-2024-1709) | Feb 2024 | RMM → mass deployment |
| Operation Cronos (LockBit takedown) | Feb 2024 | Largest law-enforcement disruption |
| BlackCat / ALPHV exit-scam | Mar 2024 | $22M payment, then disappearance |
The takedowns didn't end ransomware. Operation Cronos disrupted LockBit's infrastructure in February 2024 - within months, affiliates had migrated to RansomHub and other successor brands. BlackCat's March 2024 exit-scam similarly fragmented its affiliate base rather than eliminating it. Law enforcement raises cost; it does not remove the business model.
What the four headline incidents teach
MOVEit (CVE-2023-34362) - the file-transfer pattern
Cl0p built a campaign around file-transfer products specifically (Accellion FTA in 2020, GoAnywhere MFT in early 2023, MOVEit in mid-2023). The pattern: products that hold sensitive customer data, with admin panels exposed to the public internet, are double-extortion gold.
Citrix Bleed (CVE-2023-4966) - session tokens
Citrix NetScaler Gateway leaked session tokens via memory disclosure. Threat actors stole the tokens, replayed them, and got past MFA into customer environments. Used by multiple ransomware groups (Akira, LockBit, others) for initial access throughout late 2023 and into 2024.
Change Healthcare - the systemic ransomware case
February 2024 ransomware attack on Change Healthcare (UnitedHealth subsidiary) by BlackCat / ALPHV. Disrupted prescription processing and insurance claims for weeks across US healthcare. UnitedHealth paid a reported $22M ransom; BlackCat exit-scammed shortly after. The systemic-risk dimension - a single payments processor's compromise affecting the entire industry - is the lasting lesson.
ScreenConnect (CVE-2024-1709) - the RMM pattern
Pre-auth bypass in ConnectWise's remote management tool. Mass-exploited within hours of disclosure - because RMM tools give downstream access to every customer endpoint they manage. RMM compromise is the lateral-movement accelerant.
What "modern ransomware" actually looks like now
Source pattern: Verizon DBIR 2024 - data-exfiltration-first ransomware now exceeds encryption-first on incident counts we triage.
The May audit checklist
- Week 1
File-transfer product inventory
List every Managed File Transfer (MFT) and SFTP server in your estate - MOVEit, GoAnywhere MFT, Cleo, FileMage, IBM Aspera. For each, confirm admin panel is off the public internet, patched to current, and credentials don't reuse from elsewhere.
- Week 2
VPN/gateway session-token rotation policy
For Citrix NetScaler, Palo Alto, Fortinet, Cisco gateways: confirm session tokens have a reasonable max lifetime (≤ 1 day for privileged), confirm tokens are bound to source IP where supported. Citrix Bleed is the standing reference.
- Week 3
RMM exposure audit
For every RMM (ConnectWise, TeamViewer, AnyDesk, NinjaOne, Datto RMM): confirm admin console behind SSO, MFA enforced, and your vendor's CVE feed is in your monitoring stack.
- Week 4
Backup recovery tabletop
Last actual recovery test. If you can't answer in days, you have a 2026 ransomware problem. CISA recommends quarterly tabletops; the lower bound is annual.
The takedowns of LockBit and BlackCat in 2024 did not end ransomware. They demonstrated that the ransomware ecosystem is resilient to law-enforcement disruption - affiliates re-brand and continue. The control that actually moves the needle is removing the initial-access primitives, not waiting for the takedowns.
- Staatse monthly digest, May 2026
Key takeaways
- MOVEit (CVE-2023-34362) defined the modern data-exfiltration ransomware playbook. Three years later, file-transfer products remain the highest-leverage class to harden.
- Citrix Bleed (CVE-2023-4966) demonstrated that session-token theft bypasses MFA - your gateway hygiene must include token-rotation policy, not just MFA enforcement.
- Operation Cronos and the BlackCat exit-scam did not end ransomware; the ecosystem re-brands. Defence has to focus on initial-access primitives, not on takedowns happening.
- RMM tools and MFT products together account for an outsized share of mass-exploitation campaigns. Both deserve their own audit cadence.
Closing
For a structured review of your file-transfer, gateway, and RMM posture against the MOVEit / Citrix Bleed / ScreenConnect patterns, our network penetration testing service covers this scope. Get in touch.
References & further reading
- NVDCVE-2023-34362 - MOVEit Transfer SQL injection
- Progress (MOVEit)Vendor advisory and patches for CVE-2023-34362
- Mandiant / Google TIGCl0p (FIN11) mass-exploitation of MOVEit Transfer
- NVDCVE-2023-4966 - NetScaler ADC/Gateway sensitive information disclosure (Citrix Bleed)
- CISAAdvisory AA24-060A - Threat actors exploit ConnectWise ScreenConnect (CVE-2024-1709)
- UK National Crime AgencyOperation Cronos: International takedown of LockBit ransomware
- CISA / FBI / HHSJoint advisory on ALPHV BlackCat ransomware activity
- Verizon2024 Data Breach Investigations Report - ransomware data