Reading:
Dark Web Threat Profile: CLOP Ransomware

Dark Web Threat Profile: CLOP Ransomware

March 24, 2023

On February 2, 2023, Brian Krebs, author of KrebsOnSecurity, shared a post on the Mastodon platform about a newly discovered zero-day. In his post, he mentioned a remote code injection vulnerability in GoAnywhere MFT, Fortra’s secure managed file transfer solution. According to SOCRadar’s observations, there are more than 1000 systems worldwide whose administrative ports that may be vulnerable to this zero-day are open to the public internet. Truebot was observed actively exploiting this vulnerability. Clop ransomware, which is thought to be an affiliate of Truebot, has also started to appear in the headlines frequently with its high number of claims.

clop ransomware
Map of observed devices vulnerable to CVE-2023-0669 by country taken from SOCRadar’s  Vulnerability Intelligence panel of CTI Module (Source: SOCRadar)

In this article, we’ll closely look into the activities of Clop ransomware and analyze its malware.

Don’t Worry C|0P

CLOP, aka CL0P, Ransomware, a member of the well-known Cryptomix ransomware family, is a dangerous file-encrypting malware that intentionally exploits vulnerable systems and encrypts saved files with the “.Clop” extension. The word clop comes from the Russian word “klop,” which means “bed bug,” a Cimex-like insect that feeds on human blood at night (mosquito). A distinguishing feature of CLOP is the string “Don’t Worry C|0P” found in the ransom notes.

clop ransomware

CLOP attacks have been on the rise since February 2019, according to cybersecurity experts. CLOP, for example, attacked the well-known cybersecurity compliance company Qualys in March 2021 to steal client data. CLOP ransomware is linked to the financially motivated threat group TA505 (Hive0065), according to Palo Alto’s Unit42. 

On June 16, 2021, As part of an international operation, including law enforcement agencies from Ukraine, South Korea, and the US, police arrested many people suspected of being involved in the CLOP ransomware gang. A few days after the operation, the ransomware group grabbed headlines by publishing data obtained from new victims.

An alleged database leaked by CLOP is detected in a hacker forum monitored by SOCRadar

Targeting High-Profile Industry Giants Worldwide

The report released by CISA on March 23 argues CLOP has already been used to target a number of The International Network of Health Promoting Hospitals and Health Services (HPH) groups in the United States and organizations in Canada and Sweden.

Following FIN11, a threat actor, Mandiant experts have concluded that the gang is based somewhere within the Commonwealth of Independent States (CIS). This rating is based on FIN11’s avoidance of systems that use CIS-country keyboard layouts and file metadata in Russian.

Retail, transportation, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services are among the industries that have been affected by CLOP ransomware. For example, in December 2020, CLOP operators and their affiliates started exploiting some zero-day vulnerabilities in the Accellion File Transfer Appliance (FTA) software and began targeting its consumers. 

How Can CLOP Ransomware Infect Devices?

CLOP ransomware can infect a computer by various means, including spam email attachments, trojans, URLs, cracks, unprotected Remote Desktop Protocol (RDP) connections, malicious websites, and so on.

Some shared data by CLOP in case the ransom is not paid

In February 2019, CryptoMix ransomware strain CLOP behaved similarly to previous versions of CryptoMix. Security researchers discovered in March 2019 that the release changed its behavior and now disables services for enterprise applications such as Microsoft Exchange, Microsoft SQL Server, MySQL, and BackupExec. CLOP’s December 2019 update enhanced this feature by identifying and eliminating 663 programs on the device before starting the encryption procedure.

The actors then demand payment to decode the data and ensure that the organization’s data is not leaked. If a victim does not pay the ransom, their information will be published on CLOP’s ransomware website, CL0P – LEAKS.

CLOP operators have also been observed to combine a “spray and pray” approach with a more targeted approach to compromise targets by running large-scale phishing campaigns and then choosing which networks to compromise for monetization, according to Mandiant FireEye researchers.

As a result of the research conducted on Alienvault, a sample malware with a hash value of 82d4025b84cf569ec82d21918d641540 associated with TA505 and Clop is gathered by SOCRadar’s threat researchers and examined. The analysis observed that the malware made process injection and transmitted the running processes to the hxxp[:]//qweastradoc[.]com/gate.php domain address in a base64 encoded format.

Decoded Base64 request using CyberChef that the malware sent tp gate[.]php

When the IP address is queried in SOCRadar’s Threat Hunting panel, it can be seen that it is blacklisted by SOCRadar.

clop ransomware threat hunting
IP query output from SOCRadar’s Threat Hunting panel in CTI module (Source: SOCRadar)
clop ransomware

When we examined the exposed data from the outputs, we observed that Truebot used this IP address on February 11, 2023.

Recent Attacks of CLOP Ransomware

As previously mentioned, the Clop Ransomware gang makes claims from an onion extension page with the “CL0P^_-LEAKS” logo. It has made a lot of claims by exploiting the recently revealed CVE-2023-0669 vulnerability. 

The main page of Clop ransomware leak site
The main page of Clop ransomware leak site

The fact that there were more claims than expected and no data was exposed led to the impression that the claims were fake at first. But, the recent confirmations by Rubrik and Hitachi Energy, respectively, make it more and more likely that they are real.

Screenshots about Hitachi and Pluralsight on the Clop leak site
Screenshots about Hitachi and Pluralsight on the Clop leak site

One of the shares that support the reality of the claims is the exposed data belonging to the 888voip domain:

Based on various posts confirming that this vulnerability is pre-auth remote code injection, it can be assumed that customers using GoAnywhere MFTs are still at risk.

Another situation that may support the fact that GoAnywhere MFT is actively exploited by the group is that its domains are mentioned in the leaked data extensions, as seen in the screenshot taken from the Clop leaks site below:

A domain showing that Clop exploits CVE-2023-0669 vulnerability in the updates section of its onion site.
A domain showing that Clop exploits CVE-2023-0669 vulnerability in the updates section of its onion site.

Another question that comes to mind is whether the fact that the group recently updated the onion URL to a different onion URL with the “Santa” word contained at the beginning could be a message that they share more of these claims and data.

Screenshot of the Clop's announcement of the new domain
Screenshot of the Clop’s announcement of the new domain

Mitigations for Preventing CLOP Infection

A ransomware victim in the CLOP ransomware group website

When defending against ransomware/extortion cybercrime groups, CLOP should be handled the same as any other.

  • Think twice before opening email attachments or clicking on links. You should not open a file if it does not affect you or if the email address appears to be shady.
  • It would help if you avoided third-party downloaders since they regularly produce dangerous programs.
  • Remember that using unlicensed software is a kind of piracy, and there’s a high risk you’ll get infected because software cracking tools are regularly used to propagate malware.

MITRE ATT&CK TTPs of CLOP

The TTPs of the cl0p ransomware’s latest Linux variant can be found below:

(Used hash value is: 09d6dab9b70a74f61c41eaa485b37de9a40c86b6d2eae7413db11b4e6a8256ef

Technique Name

ID

Unix Shell Configuration Modification

T1546.004

Linux and Mac File and Directory Permissions Modification

T1222.002

File Deletion

T1070.004

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Email Collection

T1114

Ingress Tool Transfer

T1105


Latest Posts