Dark Web Threat Profile: CLOP Ransomware

Dark Web Threat Profile: CLOP Ransomware

October 12, 2021

We continue to convey the latest news on ransomware on our blog. Cybersecurity researchers have warned of emerging ransomware groups almost every day that could pose a significant threat to businesses: CLOP is one of them.

Don’t Worry C|0P

CLOP, aka CL0P, Ransomware, a member of the well-known Cryptomix ransomware family, is a dangerous file-encrypting malware that intentionally exploits vulnerable systems and encrypts saved files with the “.Clop” extension. The word clop comes from the Russian word “klop,” which means “bed bug,” a Cimex-like insect that feeds on human blood at night (mosquito). A distinguishing feature of CLOP is the string “Don’t Worry C|0P” found in the ransom notes.

CLOP attacks have been on the rise since February 2019, according to cybersecurity experts. CLOP, for example, attacked the well-known cybersecurity compliance company Qualys in March 2021 to steal client data. CLOP ransomware is linked to the financially motivated threat group TA505 (Hive0065), according to Palo Alto’s Unit42. 

On June 16, 2021, As part of an international operation, including law enforcement agencies from Ukraine, South Korea, and the US, police arrested many people suspected of being involved in the CLOP ransomware gang. A few days after the operation, the ransomware group grabbed headlines by publishing data obtained from new victims.

An alleged database leaked by CLOP is detected in a hacker forum monitored by SOCRadar

Targeting High-Profile Industry Giants Worldwide

The report released by CISA on March 23 argues CLOP has already been used to target a number of The International Network of Health Promoting Hospitals and Health Services (HPH) groups in the United States and organizations in Canada and Sweden.

Following FIN11, a threat actor, Mandiant experts have concluded that the gang is based somewhere within the Commonwealth of Independent States (CIS). This rating is based on FIN11’s avoidance of systems that use CIS-country keyboard layouts and file metadata in Russian.

Retail, transportation, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services are among the industries that have been affected by CLOP ransomware. For example, in December 2020, CLOP operators and their affiliates started exploiting some zero-day vulnerabilities in the Accellion File Transfer Appliance (FTA) software and began targeting its consumers. 

How Can CLOP Ransomware Infect Devices?

CLOP ransomware can infect a computer by various means, including spam email attachments, trojans, URLs, cracks, unprotected Remote Desktop Protocol (RDP) connections, malicious websites, and so on.

Some shared data by CLOP in case the ransom is not paid

In February 2019, CryptoMix ransomware strain CLOP behaved similarly to previous versions of CryptoMix. Security researchers discovered in March 2019 that the release changed its behavior and now disables services for enterprise applications such as Microsoft Exchange, Microsoft SQL Server, MySQL, and BackupExec. CLOP’s December 2019 update enhanced this feature by identifying and eliminating 663 programs on the device before starting the encryption procedure.

The actors then demand payment to decode the data and ensure that the organization’s data is not leaked. If a victim does not pay the ransom, their information will be published on CLOP’s ransomware website, CL0P – LEAKS.

CLOP operators have also been observed to combine a “spray and pray” approach with a more targeted approach to compromise targets by running large-scale phishing campaigns and then choosing which networks to compromise for monetization, according to Mandiant FireEye researchers.

Mitigations for Preventing CLOP Infection

A ransomware victim in the CLOP ransomware group website

When defending against ransomware/extortion cybercrime groups, CLOP should be handled the same as any other.

  • Think twice before opening email attachments or clicking on links. You should not open a file if it does not affect you or if the email address appears to be shady.
  • It would help if you avoided third-party downloaders since they regularly produce dangerous programs.
  • Remember that using unlicensed software is a kind of piracy, and there’s a high risk you’ll get infected because software cracking tools are regularly used to propagate malware.

[1]CLOP Ransomware
[2]Analyst Note
[3]Clop Malware Family
[4]Clop Ransomware Overview Operating Mode Prevention and Removal

Discover SOCRadar® Free Edition

With SOCRadar® Free Edition, you’ll be able to:

  • Discover your unknown hacker-exposed assets
  • Check if your IP addresses tagged as malicious
  • Monitor your domain name on hacked websites and phishing databases
  • Get notified when a critical zero-day vulnerability is disclosed

Free for 12 months for 1 corporate domain and 100 auto-discovered digital assets. Try for free