The recent past has seen a sudden uptick of Cl0p ransomware related activity that affects various sectors including transportation and logistics, education, manufacturing, retail, energy, aerospace, telecommunications, professional and legal services, healthcare and large tech conglomerates spanning the US, Latin America, Canada, Europe, and Asia Pacific. Considering this surge in activity, Securin experts took a deep dive into the inner workings of Cl0p ransomware.
In This Article:
Snapshot of Cl0p Ransomware’s Past
The Cl0p ransomware gang is a variant of a previously existing ransomware strain called CryptoMix, first spotted in 2019, and has been previously linked to financially motivated advanced threat groups, TA505 (GRACEFUL SPIDER) and FIN11.
In recent times, Cl0p ransomware has leveraged the Accellion File Transfer Appliance (FTA) zero-day in attacks, alongside the Solarwinds Serv-U FTP vulnerability, the GoAnywhere MFT zero-day vulnerability, the recently discovered PaperCut vulnerabilities as well as the newly discovered Progress MOVEit Transfer vulnerabilities.
The new spike in attacks has brought Cl0p back into the limelight.
Cl0p Ransomware Cheat Sheet
Securin experts have observed Cl0p ransomware exploiting a total of 13 vulnerabilities, including three recently-discovered MOVEit Transfer bugs, and two flaws affecting PaperCut print management solutions.
Our experts used Securin’s Vulnerability Intelligence platform for predictive analysis to identify the vulnerabilities and how likely they are to be exploited in future attacks. Here is a detailed analysis of the vulnerabilities exploited by Cl0p ransomware in their attacks:
CVE-2019-19781 - Citrix Application Delivery Controller (ADC) and Gateway 10.5 to 13.0 - CISA KEV, Trending - 12 Ransomware / 7 APT
CVE-2020-1472 - Netlogon Elevation of Privilege Vulnerability - CISA KEV, Trending - 9 Ransomware / 8 APT
CVE-2021-35211- SolarWinds Serv-U product Remote Memory Escape Vulnerability - CISA KEV, Trending - 1 Ransomware / 2 APT
CVE-2021-27101 - Accellion FTA 9_12_370 and earlier SQL injection vulnerability - CISA KEV, Trending - 1 Ransomware / 1 APT
CVE-2021-27102 - Accellion FTA 9_12_411 and earlier OS Command execution vulnerability - CISA KEV, Trending - 1 Ransomware / 1 APT
CVE-2021-27103 - Accellion FTA 9_12_411 and earlier SSRF vulnerability - CISA KEV - 1 Ransomware / 1 APT
CVE-2021-27104 - Accellion FTA 9_12_370 and earlier OS Command Execution vulnerability - CISA KEV, Trending - 1 Ransomware / 1 APT
Securin experts were able to warn customers about the likelihood of attacks leveraging this vulnerability, 365 days ahead of scanners like Nessus and Nexpose.
CVE-2023-0669 - Fortra GoAnywhere MFT pre-authentication command injection vulnerability - CISA KEV, Trending - 1 Ransomware / 1 APT
Securin experts were able to warn customers about the likelihood of attacks leveraging this vulnerability, six days ahead of Nessus and Qualys scanners.
CVE-2023-27350 - This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). - CISA KEV, Trending - 3 Ransomware / 3 APT
Securin experts were able to warn customers about the likelihood of attacks leveraging this vulnerability, five days ahead of Qualys scanners.
CVE-2023-27351 - This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). - Trending - 2 Ransomware / 1 APT
Securin experts were able to warn customers about the likelihood of attacks leveraging this vulnerability, five days ahead of Qualys scanners.
CVE-2023-34362 - This vulnerability allows unauthenticated remote attackers to gain access into Progress MOVEit Transfer server versions before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1). - CISA KEV, Trending - 1 Ransomware / 2 APT
Cl0p’s announced in early June that they had been testing the now-patched MOVEit server vulnerabilities since 2021. Though still not ascertained if Cl0p is exploiting the following vulnerabilities, it is probable that they are.
CVE-2023-35036 - This vulnerability allows unauthenticated remote attackers to gain access into Progress MOVEit Transfer server versions before 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), and 2023.0.2 (15.0.2). - Trending - 1 Ransomware*
CVE-2023-35708 - This vulnerability allows unauthenticated remote attackers to gain access into Progress MOVEit Transfer server versions before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3). - Trending - 1 Ransomware*
Cl0p Ransomware Attack Methodology
Cl0p ransomware was first spotted by Securin experts delivering a final payload for a phishing campaign run by TA505. The phishing emails would lead victims to a macro-enabled document that would drop a loader called Get2. The loader would then download various tools such as FlawedGrace, FlawedAmmy and SDBot, that were leveraged by the threat actor. Upon gaining a foothold on a victim’s machine, reconnaissance was conducted parallelly, alongside lateral movement and data exfiltration, to prepare for deployment of the ransomware. The SDBot payload has been observed delivering Cl0p ransomware.
Once Cl0p ransomware is deployed, it activates several features like code signing, to help it avoid detection. The ransomware usually tries to kill several processes and services relating to backups or security solutions, and does not deploy if it detects being run in a virtual environment.
Once the ransomware is injected into the system, a fake certificate is issued to grant executable rights to the Cl0p virus to elevate privileges and initiate a .bat file. The file then allows malware to overwrite and change system files. It also reads technical details such as computer names and shares them with the threat actors. The ransomware also creates a separate folder where more malicious files are implemented.
Cl0p ransomware then examines the victim computer for files to encrypt. Regularly used files such as .jpg, .mp3, .doc, etc are targeted in the encryption process. Once the encryption process is complete, all encrypted files get a .Clop extension to their titles and becomes impossible to access.
The victims then need to pay the ransom amount in order to remove Cl0p ransomware and facilitate in unlocking the files and recovering the data.
Cl0p Ransomware MITRE MAP with IOCs
Interesting Trends
-
Cl0p Ransomware likes to MOVEit: Cl0p ransomware claimed responsibility of using the now-patched MOVEit zero-day vulnerability, and has led to 106 organizations worldwide being affected by the exploitation.
Read our MOVEit vulnerabilities article to learn more.
- Linux Malware Flaw: The Linux malware that was used in the 2022 attacks seems to have a flaw in the encryption scheme that has allowed the victims to recover their files for free for several months. The Cl0p Linux malware is considered an early prototype as it is plagued by several flaws and still does not have proper obfuscation and evasiveness mechanisms in place.
- Direct Emails to Victims: The Cl0p ransomware gang pioneered an innovation by pushing more victims into paying an extortion demand by simply emailing the victim’s customers and partners directly, warning of probable data leaks onto the dark web unless ransom demands were met.
- Novel Ransom Payment Schemes: Several new methods for infecting victims and convincing them to pay are constantly devised by ransomware groups. One method revolved around healthcare organizations offering consultations over the Internet, where booby-trapped medical records would be sent to the centers posing as ‘patients’. The second method involved carefully editing email inboxes of public company executives to make it appear that some kind of insider trading was involved. The methods were leveraged by the Cl0p group in accordance with a newer ransomware affiliate, Venus.
- Cyber Police Arrests in Ukraine: The Ukrainian police arrested 21 people who are likely members of or affiliates of the Cl0p ransomware gang. The hackers had targeted foreign businesses based in the United States and South Korea, used double extortion techniques, dropped the FlawedAmmyy RAT and used Cl0p encryption software to decipher stolen data.
- Disabling Windows Defender: Cl0p ransomware, formerly known as CryptoMix ransomware, devised a way to disable Windows Defender as well as remove the Microsoft Security Essentials anti-ransomware programs.
- FIN7 uses Cl0p Ransomware: APT Group FIN7 was observed dropping Cl0p Ransomware in attacks in April 2023, its first campaign since 2021. The FIN7 attackers utilized a PowerShell-based POWERTRASH in-memory malware dropper to deploy Lizar post-exploitation tool on compromised devices.
- Malware Variant Targeting Linux: The Cl0p ransomware gang first used the malware variant that specifically targets Linux servers during an attack against a university in Colombia in December 2022.
- Using TrueBot malware in attacks: Securin researchers noticed a spike in infected devices with TrueBot malware downloader, created by a Russian hacking group called Silence. While conducting the analysis our researchers found that Cl0p ransomware used TrueBot malware to access networks in an attack. TrueBot, typically is a first-stage module that collects information and takes screenshots, and helps in exfiltration of Active Directory trust relations information that enhances a threat actor’s post-infection activity. In the second phase, a C2 server instructs TrueBot to load shellcode or DLLs in memory, download EXEs, BATs, PS1 files, uninstall itself or execute other modules. In its post-compromise phase, TrueBot is used to drop Cobalt Strike beacons or FlawedGrace or GraceWire malware that is attributed to the TA505 threat group.
- Operation Cyclone: An international law enforcement operation led by Interpol, with a duration of 30 months, was launched targeting members of the Cl0p ransomware group, leading to the arrest of six key members of the gang and recovery of $185,000 worth of assets.
- Cl0p uses Raspberry Robin Worm in Attacks: In October 2022, Microsoft researchers observed Raspberry Robin infections after Cobalt Strike beacons were dropped by a threat actor tagged as DEV-0950. DEV-0950’s activity also involved a TrueBot infection that eventually deployed Cl0p ransomware.
Cl0p Ransomware - Prevention and Cure
The Cl0p ransomware group has become ever more prolific after the exploitation of the MOVEit Transfer and GoAnywhere MFT vulnerabilities and has been gaining preference as a favored payload for many threat actors. With this in mind, here are some measures that organizations can adopt to stay safe from a ransomware attack.
- Patch the vulnerabilities used by the group, and ensure no unused ports/instances are left hanging.
- Ensure that they tune into and follow weekly threat intelligence updates by cybersecurity providers to stay on track with latest developments.
- Set up multi-factor authentication, implement session timeouts, and practice good password hygiene.
- Perform a regular Attack Surface Management scan to discover exposures in your assets, domain controllers, active directories, servers, and all cloud-connected deployments.
- Perform a penetration test on your systems to identify if they are vulnerable via unidentified exposures.
- Regularly back up data in secure storage devices.
How We Can Help?
Securin has been researching ransomware groups and the methods they use to invade networks since 2019. Our comprehensive database of more than 359 vulnerabilities (and counting) used by ransomware groups is the most extensive compilation in the industry today. Securin’s expertise in ransomware research translates into our Ransomware reports and Ransomware Assessment service that can help organizations increase their security posture.