We take a closer look at the operations of Clop, a prolific ransomware family that has gained notoriety for its high-profile attacks. We review this ransomware group’s constantly changing schemes and discuss how companies can shore up defenses against this threat.
Clop (sometimes stylized as “Cl0p”) has been one of the most prolific ransomware families in the past three years. It has gained infamy for compromising high-profile organizations in various industries worldwide using multilevel extortion techniques that resulted in huge payouts estimated at US$500 million as of November 2021. In concerted efforts to dismantle ransomware cartels, a global coalition across five continents that involved law enforcement and private partners led to the arrests in Ukraine of six suspected Clop members in June 2021.
While the arrests in Ukraine might have dealt a big blow to Clop’s operations, the group’s criminal activities have gone unabated: Our detections of attack attempts showed non-stop malicious activities from January 2021 to January 2022. Reports mentioned that only parts of the ransomware’s operations, such as the server infrastructure used by affiliates to disseminate the malware and the channels used to launder cryptocurrency ransom payments that were illegally obtained, were seized and taken down, respectively.
As enterprises ponder on ways to bolster their security defenses in the post-pandemic era, learning more about potential threats is essential to adopting a proactive cybersecurity approach. In this report, we focus the spotlight on the notorious Clop ransomware’s operations.
History of Clop
Clop evolved as a variant of the CryptoMix ransomware family. In February 2019, security researchers discovered the use of Clop by the threat group known as TA505 when it launched a large-scale spear-phishing email campaign. Clop is an example of ransomware as a service (RaaS) that is operated by a Russian-speaking group. Additionally, this ransomware used a verified and digitally signed binary, which made it look like a legitimate executable file that could evade security detection.
In 2020, it was reported that FIN11 — a financially motivated hacking group — deployed Clop ransomware and threatened their victims to publish exfiltrated data. FIN11 exploited zero-day vulnerabilities in the legacy file transfer appliance (FTA) of Kiteworks (formerly known as Accellion) to infiltrate the network of the victims. It then aimed to deliver the Clop ransomware as its payload and steal data as well. Researchers also discovered that the group used a specific web shell that was referred to as “DEWMODE” to exfiltrate stolen information from its victims.
Researchers found two groups of malicious actors that have known connections to FIN11 and identified them as UNCA2546 and UNCA2582. These were also the groups responsible for the massive attacks on Kiteworks users.
The operators behind Clop made their first attempt at using the double extortion scheme in April 2020 when they publicized the data of a pharmaceutical company on their leak site. Clop’s dedicated leak site hosts its list of victims, which has markedly grown since its launch. Over time, the gang’s extortion tactics have become more sophisticated and thus more destructive.
In November 2021, security researchers detected malicious activity by Clop operators that exploited a SolarWinds Serv-U vulnerability to breach corporate networks and deliver the Clop ransomware as a payload. The Serv-U Managed File Transfer and Serv-U Secure FTP remote code execution (RCE) vulnerability, tracked as CVE-2021-35211, allowed RCE on the vulnerable server with elevated privileges.
A maritime services giant with headquarters in Singapore also fell prey to Clop. In November 2021, it was reported that Clop breached its IT systems to steal classified proprietary commercial information and employee data that included bank account details, payroll information, passports, email addresses, and internal correspondence, among others.