The recent past has seen a sudden uptick of Cl0p ransomware related activity that affects various sectors including transportation and logistics, education, manufacturing, retail, energy, aerospace, telecommunications, professional and legal services, healthcare and large tech conglomerates spanning the US, Latin America, Canada, Europe, and Asia Pacific. Considering this surge in activity, Securin experts took a deep dive into the inner workings of Cl0p ransomware.

In This Article:

Snapshot of Cl0p Ransomware’s Past

The Cl0p ransomware gang is a variant of a previously existing ransomware strain called CryptoMix, first spotted in 2019, and has been previously linked to financially motivated advanced threat groups, TA505 (GRACEFUL SPIDER) and FIN11. 

In recent times, Cl0p ransomware has leveraged the Accellion File Transfer Appliance (FTA) zero-day in attacks, alongside the Solarwinds Serv-U FTP vulnerability, the GoAnywhere MFT zero-day vulnerability, the recently discovered PaperCut vulnerabilities as well as the newly discovered Progress MOVEit Transfer vulnerabilities. 

The new spike in attacks has brought Cl0p back into the limelight. 

Cl0p Ransomware Cheat Sheet

Securin experts have observed Cl0p ransomware exploiting a total of 13 vulnerabilities, including three recently-discovered MOVEit Transfer bugs, and two flaws affecting PaperCut print management solutions.

Our experts used Securin’s Vulnerability Intelligence platform for predictive analysis to identify the vulnerabilities and how likely they are to be exploited in future attacks. Here is a detailed analysis of the vulnerabilities exploited by Cl0p ransomware in their attacks:

CVE-2019-19781 - Citrix Application Delivery Controller (ADC) and Gateway 10.5 to 13.0 - CISA KEV, Trending - 12 Ransomware / 7 APT
CVE-2020-1472 - Netlogon Elevation of Privilege Vulnerability - CISA KEV, Trending - 9 Ransomware / 8 APT
CVE-2021-35211- SolarWinds Serv-U product Remote Memory Escape Vulnerability - CISA KEV, Trending - 1 Ransomware / 2 APT
CVE-2021-27101 - Accellion FTA 9_12_370 and earlier SQL injection vulnerability - CISA KEV, Trending - 1 Ransomware / 1 APT
CVE-2021-27102 - Accellion FTA 9_12_411 and earlier OS Command execution vulnerability - CISA KEV, Trending - 1 Ransomware / 1 APT
CVE-2021-27103 - Accellion FTA 9_12_411 and earlier SSRF vulnerability - CISA KEV -  1 Ransomware / 1 APT
CVE-2021-27104 - Accellion FTA 9_12_370 and earlier OS Command Execution vulnerability - CISA KEV, Trending - 1 Ransomware / 1 APT

Securin experts were able to warn customers about the likelihood of attacks leveraging this vulnerability, 365 days ahead of scanners like Nessus and Nexpose.

CVE-2023-0669 - Fortra GoAnywhere MFT pre-authentication command injection vulnerability - CISA KEV, Trending - 1 Ransomware / 1 APT

Securin experts were able to warn customers about the likelihood of attacks leveraging this vulnerability, six days ahead of Nessus and Qualys scanners.

CVE-2023-27350 - This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). - CISA KEV, Trending - 3 Ransomware / 3 APT

Securin experts were able to warn customers about the likelihood of attacks leveraging this vulnerability, five days ahead of Qualys scanners.

CVE-2023-27351 - This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). - Trending - 2 Ransomware / 1 APT

Securin experts were able to warn customers about the likelihood of attacks leveraging this vulnerability, five days ahead of Qualys scanners.

CVE-2023-34362 - This vulnerability allows unauthenticated remote attackers to gain access into Progress MOVEit Transfer server versions before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1). - CISA KEV, Trending - 1 Ransomware / 2 APT

Cl0p’s announced in early June that they had been testing the now-patched MOVEit server vulnerabilities since 2021. Though still not ascertained if Cl0p is exploiting the following vulnerabilities, it is probable that they are.

CVE-2023-35036 - This vulnerability allows unauthenticated remote attackers to gain access into Progress MOVEit Transfer server versions before 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), and 2023.0.2 (15.0.2). -  Trending - 1 Ransomware*
CVE-2023-35708 - This vulnerability allows unauthenticated remote attackers to gain access into Progress MOVEit Transfer server versions before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3). -  Trending - 1 Ransomware*

Cl0p Ransomware Attack Methodology

Cl0p ransomware was first spotted by Securin experts delivering a final payload for a phishing campaign run by TA505. The phishing emails would lead victims to a macro-enabled document that would drop a loader called Get2. The loader would then download various tools such as FlawedGrace, FlawedAmmy and SDBot, that were leveraged by the threat actor. Upon gaining a foothold on a victim’s machine, reconnaissance was conducted parallelly, alongside lateral movement and data exfiltration, to prepare for deployment of the ransomware. The SDBot payload has been observed delivering Cl0p ransomware.

Once Cl0p ransomware is deployed, it activates several features like code signing, to help it avoid detection. The ransomware usually tries to kill several processes and services relating to backups or security solutions, and does not deploy if it detects being run in a virtual environment. 

Once the ransomware is injected into the system, a fake certificate is issued to grant executable rights to the Cl0p virus to elevate privileges and initiate a .bat file. The file then allows malware to overwrite and change system files. It also reads technical details such as computer names and shares them with the threat actors. The ransomware also creates a separate folder where more malicious files are implemented.

Cl0p ransomware then examines the victim computer for files to encrypt. Regularly used files such as .jpg, .mp3, .doc, etc are targeted in the encryption process. Once the encryption process is complete, all encrypted files get a .Clop extension to their titles and becomes impossible to access. 

The victims then need to pay the ransom amount in order to remove Cl0p ransomware and facilitate in unlocking the files and recovering the data. 

Cl0p Ransomware MITRE MAP with IOCs

Clop Ransomware IOCs
Domains

hxxp[:]//6v4q5w7di74grj2vtmikzgx2tnq5eagyg2cubpcnqrvvee2ijpmprzqd[.]onion

hxxp[:]//santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad[.]onion

protected][.]com

codeload[.]github[.]com

hxxps://dsfdsfgb[.]azureedge[.]net/332_332/universupdatepluginx84.zipUnknown0c435aadaa3c42a71ad8ff80781def4c8ce085f960d75f15b6fee8df78b2ac38

hxxps://codeload[.]github[.]com/downloader2607/download64_12/zip/refs/heads/mainads[.]softupdt[.]com

hxxps://cdn[.]discordapp[.]com/attachments/1004390520904220838/1008127492449648762/Setup_64_11.zipUnknown

hxxps://spideroak[.]com/storage/OVPXG4DJMRSXE33BNNPWC5LUN5PTSMRTGAZTG/shared/5392194-1-1040/Setup_64_1.zip?b6755c86e52ceecf8d806bf814690691146[.]70[.]93[.]10f18a54ba72df1a17daf21b519ffeee8463cfc81c194a8759a698709f1c9a3e87

aviadronazhed[.]com

guteyutur[.]com

hxxp://27[.]70[.]196/km1

hxxp://91[.]38[.]135[.]67/km1

Emails unlock[@]support-mult.com
Emails unlock[@]rsv-box.com
IP Address 146[.]70[.]93[.]10
SHA-1 Hash

ba5c5b5cbd6abdf64131722240703fb585ee8b56

4fa2b95b7cde72ff81554cfbddc31bbf77530d4d

ac71b646b0237b487c08478736b58f208a98eebf

77ea0fd635a37194efc1f3e0f5012a4704992b0e

a1a628cca993f9455d22ca2c248ddca7e743683e

40b7b386c2c6944a6571c6dcfb23aaae026e8e82

46b02cc186b85e11c3d59790c3a0bfd2ae1f82a5

a6e940b1bd92864b742fbd5ed9b2ef763d788ea7

SHA-256 Hash

09d6dab9b70a74f61c41eaa485b37de9a40c86b6d2eae7413db11b4e6a8256ef

d1224c08da923517d65c164932ef8d931633e5376f74bf0655b72d559cc32fd2

0b214297e87360b3b7f6d687bdd7802992bc0e89b170d53bf403e536e07e396e

0c435aadaa3c42a71ad8ff80781def4c8ce085f960d75f15b6fee8df78b2ac38

09247f88d47b69e8d50f0fe4c10c7f0ecc95c979a38c2f7dfee4aec3679b5807

a9d5ec72fad42a197cbadcb1edc6811e3a8dd8c674df473fd8fa952ba0a23c15

e8d98621b4cb45e027785d89770b25be0c323df553274238810872164187a45f

8e91f3294883fbdc31ff17c3075f252cbfdc1fc9145c6238468847f86d590418

d1c04608546caf39761a0e390d8f240faa4fc821eea279f688b15d0b2cfc9729

3320f11728458d01eef62e10e48897ec1c2277c1fe1aa2d471a16b4dccfc1207

eba8a0fe7b3724c4332fa126ef27daeca32e1dc9265c8bc5ae015b439744e989

cf0a24f1cdf5258c132102841d5b13e1c6978d9316ba4005076606dc60ec761b

389e03b1a1fd1c527d48df74d3c26a0483a5b105f36841193172f1ee80e62c1b

85c42e1504bdce63c59361fb9b721a15a80234e0272248f9ed7eb5f9ba7b3203

cb36503c08506fca731f0624fda1f7462b7f0f025a408596db1207d82174796a

af1d155a0b36c14626b2bf9394c1b460d198c9dd96eb57fac06d38e36b805460

ad320839e01df160c5feb0e89131521719a65ab11c952f33e03d802ecee3f51f

Interesting Trends

  • Linux Malware Flaw: The Linux malware that was used in the 2022 attacks seems to have a flaw in the encryption scheme that has allowed the victims to recover their files for free for several months. The Cl0p Linux malware is considered an early prototype as it is plagued by several flaws and still does not have proper obfuscation and evasiveness mechanisms in place.
  • Direct Emails to Victims: The Cl0p ransomware gang pioneered an innovation by pushing more victims into paying an extortion demand by simply emailing the victim’s customers and partners directly, warning of probable data leaks onto the dark web unless ransom demands were met.
  • Novel Ransom Payment Schemes: Several new methods for infecting victims and convincing them to pay are constantly devised by ransomware groups. One method revolved around healthcare organizations offering consultations over the Internet, where booby-trapped medical records would be sent to the centers posing as ‘patients’. The second method involved carefully editing email inboxes of public company executives to make it appear that some kind of insider trading was involved. The methods were leveraged by the Cl0p group in accordance with a newer ransomware affiliate, Venus.
  • Cyber Police Arrests in Ukraine: The Ukrainian police arrested 21 people who are likely members of or affiliates of the Cl0p ransomware gang. The hackers had targeted foreign businesses based in the United States and South Korea, used double extortion techniques, dropped the FlawedAmmyy RAT and used Cl0p encryption software to decipher stolen data.
  • Disabling Windows Defender: Cl0p ransomware, formerly known as CryptoMix ransomware, devised a way to disable Windows Defender as well as remove the Microsoft Security Essentials anti-ransomware programs.
  • FIN7 uses Cl0p Ransomware: APT Group FIN7 was observed dropping Cl0p Ransomware in attacks in April 2023, its first campaign since 2021. The FIN7 attackers utilized a PowerShell-based POWERTRASH in-memory malware dropper to deploy Lizar post-exploitation tool on compromised devices.
  • Malware Variant Targeting Linux: The Cl0p ransomware gang first used the malware variant that specifically targets Linux servers during an attack against a university in Colombia in December 2022.
  • Using TrueBot malware in attacks: Securin researchers noticed a spike in infected devices with TrueBot malware downloader, created by a Russian hacking group called Silence. While conducting the analysis our researchers found that Cl0p ransomware used TrueBot malware to access networks in an attack. TrueBot, typically is a first-stage module that collects information and takes screenshots, and helps in exfiltration of Active Directory trust relations information that enhances a threat actor’s post-infection activity. In the second phase, a C2 server instructs TrueBot to load shellcode or DLLs in memory, download EXEs, BATs, PS1 files, uninstall itself or execute other modules. In its post-compromise phase, TrueBot is used to drop Cobalt Strike beacons or FlawedGrace or GraceWire malware that is attributed to the TA505 threat group.
  • Operation Cyclone: An international law enforcement operation led by Interpol, with a duration of 30 months, was launched targeting members of the Cl0p ransomware group, leading to the arrest of six key members of the gang and recovery of $185,000 worth of assets.
  • Cl0p uses Raspberry Robin Worm in Attacks: In October 2022, Microsoft researchers observed Raspberry Robin infections after Cobalt Strike beacons were dropped by a threat actor tagged as DEV-0950. DEV-0950’s activity also involved a TrueBot infection that eventually deployed Cl0p ransomware.

Cl0p Ransomware - Prevention and Cure

The Cl0p ransomware group has become ever more prolific after the exploitation of the MOVEit Transfer and GoAnywhere MFT vulnerabilities and has been gaining preference as a favored payload for many threat actors. With this in mind, here are some measures that organizations can adopt to stay safe from a ransomware attack.

  • Patch the vulnerabilities used by the group, and ensure no unused ports/instances are left hanging. 
  • Ensure that they tune into and follow weekly threat intelligence updates by cybersecurity providers to stay on track with latest developments.
  • Set up multi-factor authentication, implement session timeouts, and practice good password hygiene.
  • Perform a regular Attack Surface Management scan to discover exposures in your assets, domain controllers, active directories, servers, and all cloud-connected deployments.
  • Perform a penetration test on your systems to identify if they are vulnerable via unidentified exposures.
  • Regularly back up data in secure storage devices.

How We Can Help?

Securin has been researching ransomware groups and the methods they use to invade networks since 2019. Our comprehensive database of more than 359 vulnerabilities (and counting) used by ransomware groups is the most extensive compilation in the industry today. Securin’s expertise in ransomware research translates into our Ransomware reports and Ransomware Assessment service that can help organizations increase their security posture.

Share This Post On