We use cookies to improve your experience. Do you accept?

Skip to main content

Cl0p Unleashed: Unraveling Massive-Scale Attacks and Exploitation Strategies

Cl0p Unleashed: Unraveling Massive-Scale Attacks and Exploitation Strategies - Featured Image

Research and Analysis Aug 16, 2023

Origin: February 2019

Aliases: Cl0p, CryptoMix, TA505

Targeted Sectors: Retail, Transportation, Education, Manufacturing, Energy, Financial, Telecommunications, Legal Services, and Healthcare

Targeted Regions: North America, Eastern Europe, Western Europe, Western Asia, Eastern Asia, South-East Asia

Motivation: Ransom, Data theft

Common Infection Vectors: Phishing, Spam Email

Introduction

Cl0p is a ransomware strain that first appeared in February 2019 and is believed to have evolved from the CryptoMix ransomware. Its lineage can be traced back to the financially motivated actor TA505. The ransomware group is known for using the double extortion tactic of stealing and encrypting data and threatening the victims to leak the data on the CL0P^_-LEAKS site. This, however, worked well for the initial two years for the group where it would use a macro-enabled document employing the Get2 malware dropper. Later, it shifted to pursue only data exfiltration attacks.

Over the last few years, Cl0p actors have rocked the cybersecurity world by carrying out massive-scale attacks impacting multiple organizations in the United States and across the globe. Attacks on Accellion FTA servers and then abusing a zero-day in the MOVEit Transfer tool defines this threat indisputably. At least 545 organizations, including government agencies and renowned private organizations, appear to have been directly or indirectly affected by Cl0p's MOVEit attack spree alone.

Tactics, Techniques, and Procedures (TTPs)

Cl0p is written in C++ and developed to target 32-bit Windows operating systems. The executable packet is compressed which helps hide its functionality. It encrypts files using an RSA 1024-bit public key along with RC4 using 117 bytes of the public key.

Cl0p spreads via phishing campaigns or spam emails, in which malicious links are disguised as software updates or legitimate emails. Only once a report in December 2022 asserted that a Russian-speaking threat group Silence disseminated the Cl0p ransomware using TrueBot malware.

A key method used by this malware for initial access is the exploitation of zero-day flaws.

  • In December 2020, the group breached the security of the Accellion File Transfer Appliance (FTA) using vulnerabilities identified as CVE-2021-27104, CVE-2021-27102, CVE-2021-27101, and CVE-2021-27103.

  • In November 2021, the group was found exploiting a SolarWinds Serv-U vulnerability (CVE-2021-35211).

  • In February 2023, the Cl0p ransomware group exploited a zero-day vulnerability (CVE-2023-0669) in the GoAnywhere MFT secure file transfer tool, and claimed to steal data from over 130 organizations.

  • In June 2023, the TA505 threat group used Cl0p ransomware to exploit a vulnerability (CVE-2023-343621) within MOVEit Transfer. After some targeted firms failed to pay the ransom, their stolen data was leaked on their ‘CL0P^_- LEAKS’ leak site, hosted on the dark web.

In a different tactic, the Cl0p group was observed attempting to disable Windows Defender, Microsoft Security Essentials, and anti-ransomware programs.

Once a network is compromised, it uses Remote Desktop Protocol (RDP) connections for remote access and deploys Cobalt Strike for lateral movement. It then proceeds for encryption after which the encrypted file’s extension is changed to ‘Cl0p’ and the victim is shown a ransom note named README[.]TXT. The note mentions that Shadow Volume Copies are deleted and the decryption key is only available with the ransomware group, along with a claim that all the files will be deleted after two weeks.

Victimology

Cl0p ransomware mostly targets organizations having a revenue of $5 million USD or higher. One of its most notorious operations was the attack targeting Software AG in October 2020, which gained spotlight for being the first reported ransom demand exceeding $20 million. It is believed that the ransomware group extorted more than $500 million from different organizations till November 2021.

Cl0p group indeed targets a broad range of businesses across education, retail, transportation, logistics, healthcare, manufacturing, automotive, engineering, energy, aerospace, telecommunications, legal services, financial, and technology sectors.

Attack insights

According to a report by SOCRadar published in July 2023, the top three industries targeted by Cl0p were Finance (21.38%), Information Technology (18.62%), and Manufacturing (13.45%).

  • A majority of attacks (totaling 77.3%) were concentrated on the U.S. (60.7%), the U.K. (6.6%), Canada (5.2%), and Germany (4.8%).

  • A previous report, from NCC Group in 2022 had revealed the industrial sector (45% of attacks) and the tech sector (27% of attacks) as the most targeted sectors.

  • The most targeted countries include Switzerland, the U.K, Belgium, the U.S., Netherlands, Croatia, Porto Rico, Germany, Turkey, Russia, Denmark, Mexico, Canada, and the Dominican Republic.

Some of the notable victims include:

  • Cl0p disrupted business operations at INA Group, an oil company.

  • The ransomware group allegedly stolen 2 million credit cards from E-Land Retail.

  • An ad agency identified as the7stars had its files dumped online by the Cl0p ransomware group.

  • Morgan Stanley, New South Wales Health (Australia), energy giant Shell, University of California, Colorado and Miami, the city of Chicago and Toronto disclosed data breaches due to Accellion FTA servers.

  • Swire Pacific Offshore was targeted in a cyberattack by the Cl0p ransomware group.

  • It added Universidad De La Salle to its leak page and posted images of passports.

  • In June 2023, the networks of more than 500 companies were compromised after the Cl0p group exploited the MOVEit SQLi zero-day. The victims include the U.S. government departments of Energy and Agriculture, as well as the Office of Personnel Management, British communications regulator Ofcom, the government of Canadian province Nova Scotia, the Teachers Insurance and Annuity Association of America, and Louisiana and Oregon's registries of motor vehicles.

Disappearing and Reappearing

It was all fun and games for the group until another ransomware group pulled off a major cyberattack targeting Colonial Pipeline on May 7, 2021. After remarks by President Biden on the attack, almost all major ransomware groups wend into hiding and Cl0p was among them. The operators shut down ransomware operations for a few months, fearing an international law enforcement operation coordinated by the INTERPOL against DarkSide, the group that disrupted Colonial Pipeline operations. After a hiatus of nearly eight months, security experts started noticing Cl0p’s activities and a month later, in March 2022, Cl0p again entered the list of top malware infections.

Association with other groups

Cl0p, the successor of the CryptoMix ransomware, is known for its associations with other ransomware groups.

  • In October 2022, a threat group dubbed ‘DEV-0950’ was found to have used Cl0p ransomware. The Cl0p group’s malicious activity also overlaps with FIN11 and TA505.

  • In March 2023, a Secureworks incident response engagement disclosed another group, FIN7, using the ransomware.

Prevention

To stay protected from the Cl0p ransomware, organizations are recommended to have a multi-layered cyber defense infrastructure. This includes having appropriate security hygiene practices, such as avoiding opening unsolicited email attachments or clicking on non-trustworthy links. As this threat relies on the exploitation of known vulnerabilities, it is crucial to keep apps and systems patched and updated. To stay on top of the game, it is suggested to invest in state-of-the-art security solutions to detect and eliminate malware before any harm is done. Cyber Fusion is one such approach that focuses on integrating threat intelligence across all aspects of security operations to help organizations tackle pertinent threats. Here’s more on how an organization can leverage it to have 360-degree threat visibility and drive proactive threat actioning.

Conclusion

The technical analysis reveals Cl0p's executable file nature and utilization of distinct launch methods for encryption. Cl0p's pursuit of ransom payments is underscored by its adaptability in tactics, making it a trendsetter in the ransomware landscape. As the landscape continues to evolve, organizations must adopt a multi-layered cyber defense infrastructure, prioritize security hygiene practices, and maintain up-to-date systems to mitigate Cl0p's threats.

Indicators of Compromise

MOVEit campaign

SHA256 file hashes

0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9

0ea05169d111415903a1098110c34cdbbd390c23016cd4e179dd9ef507104495

110e301d3b5019177728010202c8096824829c0b11bb0dc0bff55547ead18286

1826268249e1ea58275328102a5a8d158d36b4fd312009e4a2526f0bfbc30de2

2413b5d0750c23b07999ec33a5b4930be224b661aaf290a0118db803f31acbc5

2ccf7e42afd3f6bf845865c74b2e01e2046e541bb633d037b05bd1cdb296fa59

348e435196dd795e1ec31169bd111c7ec964e5a6ab525a562b17f10de0ab031d

387cee566aedbafa8c114ed1c6b98d8b9b65e9f178cf2f6ae2f5ac441082747a

38e69f4a6d2e81f28ed2dc6df0daf31e73ea365bd2cfc90ebc31441404cca264

3a977446ed70b02864ef8cfa3135d8b134c93ef868a4cc0aa5d3c2a74545725b

3ab73ea9aebf271e5f3ed701286701d0be688bf7ad4fb276cb4fbe35c8af8409

3c0dbda8a5500367c22ca224919bfc87d725d890756222c8066933286f26494c

4359aead416b1b2df8ad9e53c497806403a2253b7e13c03317fc08ad3b0b95bf

48367d94ccb4411f15d7ef9c455c92125f3ad812f2363c4d2e949ce1b615429a

58ccfb603cdc4d305fddd52b84ad3f58ff554f1af4d7ef164007cb8438976166

5b566de1aa4b2f79f579cdac6283b33e98fdc8c1cfa6211a787f8156848d67ff

6015fed13c5510bbb89b0a5302c8b95a5b811982ff6de9930725c4630ec4011d

702421bcee1785d93271d311f0203da34cc936317e299575b06503945a6ea1e0

769f77aace5eed4717c7d3142989b53bd5bac9297a6e11b2c588c3989b397e6b

7c39499dd3b0b283b242f7b7996205a9b3cf8bd5c943ef6766992204d46ec5f1

93137272f3654d56b9ce63bec2e40dd816c82fb6bad9985bed477f17999a47db

98a30c7251cf622bd4abce92ab527c3f233b817a57519c2dd2bf8e3d3ccb7db8

9d1723777de67bc7e11678db800d2a32de3bcd6c40a629cd165e3f7bbace8ead

9e89d9f045664996067a05610ea2b0ad4f7f502f73d84321fb07861348fdc24a

a1269294254e958e0e58fc0fe887ebbc4201d5c266557f09c3f37542bd6d53d7

a8f6c1ccba662a908ef7b0cb3cc59c2d1c9e2cbbe1866937da81c4c616e68986

b1c299a9fe6076f370178de7b808f36135df16c4e438ef6453a39565ff2ec272

b5ef11d04604c9145e4fe1bedaeb52f2c2345703d52115a5bf11ea56d7fb6b03

b9a0baf82feb08e42fa6ca53e9ec379e79fbe8362a7dac6150eb39c2d33d94ad

bdd4fa8e97e5e6eaaac8d6178f1cf4c324b9c59fc276fd6b368e811b327ccf8b

c56bcb513248885673645ff1df44d3661a75cfacdce485535da898aa9ba320d4

c77438e8657518221613fbce451c664a75f05beea2184a3ae67f30ea71d34f37

cec425b3383890b63f5022054c396f6d510fae436041add935cd6ce42033f621

cf23ea0d63b4c4c348865cefd70c35727ea8c82ba86d56635e488d816e60ea45

d477ec94e522b8d741f46b2c00291da05c72d21c359244ccb1c211c12b635899

d49cf23d83b2743c573ba383bf6f3c28da41ac5f745cde41ef8cd1344528c195

daaa102d82550f97642887514093c98ccd51735e025995c2cc14718330a856f4

e8012a15b6f6b404a33f293205b602ece486d01337b8b3ec331cd99ccadb562e

ea433739fb708f5d25c937925e499c8d2228bf245653ee89a6f3d26a5fd00b7a

ed0c3e75b7ac2587a5892ca951707b4e0dd9c8b18aaf8590c24720d73aa6b90c

f0d85b65b9f6942c75271209138ab24a73da29a06bc6cc4faeddcb825058c09d

fe5f8388ccea7c548d587d1e2843921c038a9f4ddad3cb03f3aa8a45c29c6a2f

IP addresses

104[.]194[.]222[.]107

138[.]197[.]152[.]201

146[.]0[.]77[.]141

146[.]0[.]77[.]155

146[.]0[.]77[.]183

148[.]113[.]152[.]144

162[.]244[.]34[.]26

162[.]244[.]35[.]6

179[.]60[.]150[.]143

185[.]104[.]194[.]156

185[.]104[.]194[.]24

185[.]104[.]194[.]40

185[.]117[.]88[.]17

185[.]162[.]128[.]75

185[.]174[.]100[.]215

185[.]174[.]100[.]250

185[.]181[.]229[.]240

185[.]181[.]229[.]73

185[.]183[.]32[.]122

185[.]185[.]50[.]172

188[.]241[.]58[.]244

193[.]169[.]245[.]79

194[.]33[.]40[.]103

194[.]33[.]40[.]104

194[.]33[.]40[[.]1]64

198[.]12[.]76[.]214

198[.]27[.]75[.]110

206[.]221[.]182[.]106

209[.]127[.]116[.]122

209[.]127[.]4[.]22

209[.]222[.]103[.]170

209[.]97[.]137[.]33

45[.]227[.]253[.]133

45[.]227[.]253[.]147

45[.]227[.]253[.]50

45[.]227[.]253[.]6

45[.]227[.]253[.]82

45[.]56[.]165[.]248

5[.]149[.]248[.]68

5[.]149[.]250[.]74

5[.]149[.]250[.]92

5[.]188[.]86[.]114

5[.]188[.]86[.]250

5[.]188[.]87[.]194

5[.]188[.]87[.]226

5[.]188[.]87[.]27

5[.]252[.]23[.]116

5[.]252[.]25[.]88

5[.]34[.]180[.]205

62[.]112[.]11[.]57

62[.]182[.]82[.]19

62[.]182[.]85[.]234

66[.]85[.]26[.]215

66[.]85[.]26[.]234

66[.]85[.]26[.]248

79[.]141[.]160[.]78

79[.]141[.]160[.]83

84[.]234[.]96[.]104

84[.]234[.]96[.]31

89[.]39[.]104[.]118

89[.]39[.]105[.]108

91[.]202[.]4[.]76

91[.]222[.]174[.]95

91[.]229[.]76[.]187

93[.]190[.]142[.]131

Related Threat Briefings