Threat Actor Review: Clop Ransomware Group

Given that ransomware, particularly Ransomware-as-a-Service (RaaS), is having a significant influence on the contemporary digital world, and that the MOVEit attacks have dominated the news cycle, it is imperative to stay informed.

As a result, we reviewed Clop, the threat actor behind the MOVEit attack. This includes their background, connected recent attacks, certain technical features of the ransomware, and Gemserv’s security recommendations against such attacks.

How did the Clop Ransomware Gang Begin?

Derived from the Russian word ‘klop’ meaning ‘bedbug’, Clop is a ransomware family first observed in February 2019. It has been used against a wide number of industries globally – with an estimated $500m in extorted funds as of November 2021. The Clop gang paradoxically presents itself as a “friendly” Ransomware actor who chooses its victims carefully and works to minimise disruption to critical national infrastructure.

Clop took a major hit when a joint operation between Ukraine, US and South Korea led to several arrests of alleged Clop members in Ukraine. The operation severely disrupted the gang between November 2021 and February 2022. However, they have been recovering and climbing the ‘ransomware charts’ since then. As of Q2 2023, they are only narrowly behind AlphVM by number of victims, but still a ways off from Lockbit (3.0) who have 3x the amount. Unlike some RaaS groups, Clop have no qualms with targeting the healthcare sector. They’ve racked up approximately 959 attack detection counts against the healthcare industry as of January 2022, compared to the nearest sector in Finance with 150 detections.

In March 2020, the threat actors made the decision to start “Cl0p- Leaks” – a leak site. This website is a Tor-based blog where victims’ private information is made public if they refuse to pay the ransom or comply with threats. The threat actors behind Clop also deploy several extortion strategies, including targeting the workstations of senior executives, ‘doxing‘ workers, and alerting the media to security vulnerabilities.

Recent Attacks Attributed to Clop Ransomware

MOVEit (June 2023): As stated previously, Clop claimed responsibility for the MOVEit attacks, which involved the exploitation of a zero-day vulnerability. This impacted staff in at least 8 organisations across the UK, including British Airways (BA), the BBC and Boots. The vulnerability found within the MOVEit file transfer software is what is known as a SQL injection, leading to remote code execution. The software is utilised by Zellis, which handles the HR services of the organisations affected.

Over 100,000 employees across the firms have been informed that payroll data may have been stolen, along with the exposure of contact information, financial information, and National Insurance numbers. While Clop says on its leak site that it has destroyed all data from government, military, and children’s hospitals because “we have no interest in exposing that information,” they have pledged to expose the names of its business victims on their dark web blog the following week (June 14 2023).

It is expected that more companies will start to come forward as the situation develops, as Clop have claimed to have ‘hundreds of companies’ data through the attacks and are likely to be currently evaluating their worth.

South Staffordshire Water (August 2022): Cl0p claimed to have stolen 5TB of data from South Staffordshire Water staff, a company that provides drinking water to about 1.3 million people. This data included scanned copies of passports and ID cards. Rather than prevent access to data or the continuation of corporate operations, the attackers in this case did not encrypt systems. Instead they opted to employ extortion tactics that are becoming more common among hackers, including leaking part of the stolen material, humiliating the victim in public, and threatening further repercussions if the ransom is not paid. In this instance, Thames Water was originally posted on the leak site rather than South Staffordshire Water – with experts speculating that the gang used the victims’ false identification was a ploy to demand bigger payments from a larger water supplier.

Clop Technical Aspects

• A variant of the CryptoMix.
• Attempts to kill several processes and services related to backups and security solutions.
• Will not execute if it detects it is running in a virtual environment.
• Targets entire network, via hacking into the Active Directory
• If executed, Clop appends the .clop extension or a variation thereof to the victim’s files, such as ‘.CIIp’, ‘.Cllp’ and ‘.C_L_O_P’.
• Leverages Code Signing to evade detection.
• MITRE ATT&CK Profile.
• MITRE ATT&CK Navigator techniques.

What are the Security Recommendations Against Clop?

• It is strongly recommended that users of MOVEit MFT software disable all HTTP and HTTPS traffic on ports 80 and 443 to the MOVEit environment until a patch is released and applied.
• Utilise CTI (Cyber Threat Intelligence), for the latest Indicators of compromise, feeding it into your SIEM / SOAR solutions.
• Employ efficient vulnerability scanning and patching procedures, prioritising critical assets most at risk.
• Create and maintain ransomware playbooks, as well as incident management plans.
• For quick system restoration and to stop further harm, employ and maintain healthy backup policies.
• Segregate as much IT infrastructure as possible – reducing the attack surface.
• Implementing preventive and detective controls, regularly testing them though methods such as purple teaming or breach and attack simulations.

Gemserv Solution

Gemserv’s cyber threat intelligence solution can support any organisation with (among many other use cases):

• Sector and Region Threats.
• Technology Stack Monitoring.
• Supply Chain Security (24/7 alerting).
• Brand and Social Media Monitoring.