Clop (cyber gang)

Clop (sometimes written “Cl0p”) is a cybercriminal organization known for its multilevel extortion techniques and global malware distribution. It has extorted more than $500 million in ransom payments, targeting major organizations worldwide. Clop gained notoriety in 2019 and has since conducted high-profile attacks, using large-scale phishing campaigns and sophisticated malware to infiltrate networks and demand ransom, threatening to expose data if demands are not met.

Clop increasingly uses pure extortion approaches with "encryption-less ransomware". It also employs more complex attacks, such as zero-day, that have a significant impact and allows them to demand higher ransom payments.

Description
Clop is a Russian-speaking ransomware gang. According to the US Cybersecurity and Infrastructure Security Agency (CISA), Clop is "driving global trends in criminal malware distribution". Clop avoids targets in former Soviet countries and its malware can't breach a computer that operates primarily in Russian.

In 2023, Clop uses more and more pure extortion approaches with "encryption-less ransomware" that skips the encryption process but still threatens to leak data if a ransom is not paid. This technique allows threat actors to achieve the same results and generate larger profits.

Clop is used to conducting malicious activities during holidays, when the number of staff members present in companies tends to be at its lowest. This is the case of the Accellion FTA software attack on December 23, 2020, and MOVEit attack during the summer 2023.

The cybercriminals declared to Bleeping Computer to have erased "right away" data concerning "the military, children's hospitals, GOV etc".

First exploits
The gang was first spotted by researchers in February 2019. It evolved as a variant of the "CryptoMix" ransomware family. Clop is an example of ransomware as a service (RaaS). Clop ransomware used a verified and digitally signed binary, which made it look like a legitimate executable file that could evade security detection.

In December 2019, the group attacked Maastricht University. The ransomware encrypted almost all Windows systems used by Maastricht University, making it impossible for students and staff members to access any university online services during the Christmas break. The offenders set a ransom, which allowed a decryption of the university systems after Maastricht University paid €200,000 in a Bitcoin transfer. The lessons resumed with no delays on 6 January, with most online services again available to both students and staff members. In 2020, the public prosecutor service seized the cryptocurrency account in which the ransom was paid. Once the ransom was converted from Bitcoin to Euros, the university was able to recover €500,000, double of what was paid.

Accellion FTA attack (2020)
Accellion, a company providing a legacy File Transfer Appliance (FTA), experienced a series of data breaches in mid-December 2020. Threat actors took advantage of zero-day vulnerabilities and a web shell known as DEWMODE to breach the systems of up to 100 companies using Accellion's FTA. The stolen data included sensitive files.

The attacks were attributed to the Clop ransomware gang and the FIN11 threat group, although no ransomware was deployed during these specific incidents. After exfiltrating the data, the attackers threatened to make the stolen information public unless a ransom was paid. Several organizations were identified as victims of these breaches, including Kroger, Singtel, QIMR Berghofer Medical Research Institute, Reserve Bank of New Zealand, ASIC, and the Office of the Washington State Auditor, among others.

GoAnywhere MFT attack (2023)
In January 2023, the gang claimed responsibility for breaching over 130 organizations by exploiting a zero-day vulnerability in the GoAnywhere MFT secure file transfer tool. This security flaw, identified as CVE-2023-0669, allows attackers to execute remote code on unpatched instances of GoAnywhere MFT that have their administrative console exposed to the Internet.

MOVEit exploitation (2023)
In 2023, Clop employs more complex attacks that make significant impacts and allow them to demand higher ransom payments. Specifically, the Clop gang targeted data theft by exploiting a zero-day vulnerability in MOVEit Transfer. Their objective is to overcome the overall decline in ransom payments by demanding substantial amounts from their victims.

In 2023, the gang claims credit for the following hack : BBC and British Airways, Estee Lauder companies, 1st Source, First National Bankers Bank (USA), Putnam Investments (USA), Landal Greenparks (Netherlands), Shell (UK), the New York City Department of Education, and Ernst & Young.

As of July 2023, the Clop ransomware gang is projected to earn an estimated $75-100 million from their extortion attacks using the MOVEit Transfer vulnerability.

Methods
Clop uses big phishing campaigns. The emails contain HTML attachments that redirect recipients to a macro-enabled document used to install a loader named Get2. This loader facilitates the download of other tools such as SDBOT, FlawedAmmyy, and Cobalt Strike. Once in the system, the gang proceeds to reconnaissance, lateral movement, and exfiltration to set the stage for the deployment of their ransomware. Then Clop coerces their victim by sending emails in a bid for negotiations. If their messages are ignored, they threaten to publicize the data on their data leak website “Cl0p^_-Leaks”.

Clop has more recently been reported to use TrueBot malware for access to networks. The loader deployed by the "Silence" hacker group, affects over 1,500 systems worldwide in 2023.