Clop Ransomware: Who, What, Where, Why, How
The name Clop (often stylized Cl0p) refers to both Ransomware-as-a-Service (RaaS) and the ransomware and extortion threat group that develops and markets the malware (sometimes called the Clop gang or Clop group). It started in 2019 and has become one of the most commonly used forms of ransomware, and has been involved in several high-profile attacks.
Who?
Clop was first seen in February 2019, and was developed from a variant of the CryptoMix ransomware, which is believed to have been developed in Russia.
Because Clop is a RaaS, the ransomware isn’t used by a single entity, but by any affiliates that choose to use it. These can be criminal organizations or individuals located anywhere in the world. Clop ransomware been observed to have been used by the following financially-motivated cybercrime groups:
- TA505 (aka Gold Tahoe, Hive0065)
- FIN7 (aka Gold Niagara, Carbon Spider, Carbanak, Sangria Tempest)
- FIN11 (aka Lace Tempest, DEV-0950, TEMP.Warlock, UNC902)
Clop has hit the healthcare industry hard, and has also targeted organizations in a wide range of industries, including tech, financial services, insurance, professional services, government, retail, transportation, aerospace, education, automotive, manufacturing, telecom, energy, and engineering. Its victims are primarily in the US, and are also in Canada, Latin America, Asia, and Europe.
In 2020, Clop targeted healthcare and pharmaceutical organizations at the beginning of the COVID-19 pandemic.
In December 2020 and early 2021, Clop exploited a zero-day flaw in the Accellion File Transfer Appliance (FTA). They exfiltrated data from victims, then extorted them. Targets included Shell, Qualys, Kroger, and multiple universities, including University of Colorado, University of Miami, University of Maryland Baltimore (UMB), University of California, and Stanford Medicine.
In November 2021, Interpol and Ukrainian law enforcement arrested 6 individuals in Ukraine who were allegedly connected to Clop, and shut down some of the group’s infrastructure. This caused Clop to pause operations between November 2021 and February 2022.
In February 2023, Clop exploited a zero-day vulnerability in the Fortra GoAnywhere managed file transfer (MFT) tool. The group claimed to have hit 130 organizations as part of this campaign, including Community Health Systems, Hitachi Energy, Proctor & Gamble, Shell, Hatch Bank, Bombardier, Rubrik, Atos, Saks Fifth Avenue, the City of Toronto, Investissement Quebec, and the UK’s Pension Protection Fund.
In April 2023, Clop exploited vulnerabilities in PaperCut application servers.
In June 2023, Clop exploited vulnerabilities in Progress Software MOVEit Transfer, a file-transfer tool. The attacks hit British Airways, the BBC, the government of Nova Scotia, Zellis, and others. At the time of writing, this incident is still unfolding.
What?
Clop is double-extortion ransomware, meaning that it encrypts files and exfiltrates data to be used in leak threats. The group told BleepingComputer that they prefer to steal data to extort companies, rather than to encrypt data for extortion. In several of their attacks, they have exfiltrated data to use for extortion without deploying ransomware.
Where?
It seems likely that Clop members are Russian, based on Clop file metadata being in Russian, and the ransomware’s avoidance of systems that use Commonwealth of Independent States (CIS) keyboard layouts.
Affiliates that use the Clop RaaS can be located anywhere in the world, though the prominent ones (listed above) are believed to be Russian.
Why?
Clop, like most ransomware operators, is financially motivated. The group has reportedly taken in hundreds of millions of US dollars in ransom payments. Clop typically targets organizations with $5 million or more in annual revenue.
How?
Clop ransomware can be delivered in several ways, including phishing (including sending infected medical files), exploitation of vulnerabilities (especially of file transfer tools), compromising RDP, and malicious websites. The Clop group has also used DDoS attacks.
Clop can infect Windows and Linux machines.
Once Clop is on a machine, it installs additional malware for C2 and recon. It can deploy a Cobalt Strike beacon and/or TrueBot malware. It targets Active Directory to spread through the network, and uses Group Policy to enable persistence. It deletes Volume Shadow Copies to thwart data restoration efforts.
When Clop encrypts files, it appends a .Cl0p (or .ClOP or .CLOP) extension. It presents a ransom note which gives victims two weeks to pay before deleting the encrypted files and the decryption key. Clop runs a dark web leak site called „CL0P^_-LEAKS” where they post victim details to pressure them to pay. When victims haven’t paid, Clop has emailed the victim’s partners and/or customers telling them about the data breach.
To prevent detection, Clop includes anti-analysis and anti-virtual machine (VM) functionality. It uses digitally-signed executables and attempts to terminate over 600 Windows processes, including Windows Defender, Microsoft Security Essentials, and Malwarebytes Anti-Ransomware Protection.
