Cl0p: Russian-speaking ransomware gang
Type of threat: Cyber
Sector(s) targeted: Most industries worldwide, including retail, transportation, education, manufacturing, automotive, energy, financial, telecommunications and even healthcare. (Cyberint) Clop reportedly took responsibility for a mass attack on more than 130 organizations, including those in the healthcare industry, using a zero-day vulnerability in secure file transfer software GoAnywhere MFT. (HC3) A maritime services giant with headquarters in Singapore also fell prey to Clop. In November 2021, it was reported that Clop breached its IT systems to steal classified proprietary commercial information and employee data that included bank account details, payroll information, passports, email addresses, and internal correspondence, among others. (Trend Micro) Clop ransomware attacks also target non-IT fields such as distribution, logistics and manufacturing. (MDPI)
Nation/state associations: Not reported
Area of operations: Cl0p is affiliated with TA505, which is almost certainly a financially motivated, Russian-speaking, ransomware-as-a-service (RaaS) cybercrime group that is very likely based in a Commonwealth of Independent States (CIS) country. (Canadian Centre for Cyber Security). The most affected targeted countries are the U.S., Canada, and India. (FourCore)
Dates operational: Cl0p has operated from February 2019 – present. (CISA) TA505 has been active since at least 2014. In addition to operating the CL0P RaaS, TA505 has also operated as an affiliate or developer of other RaaS operations including LockBit, Hive, Locky Ransomware, and REvil; an initial access broker, selling access to compromised corporate networks; a large botnet operator, specializing in financial fraud and phishing attacks, involving use of the Dridex banking trojan. (Canadian Centre for Cyber Security)
History: Evolving from the CryptoMix ransomware variant, CL0P was leveraged as a Ransomware as a Service (RaaS) in large-scale spear-phishing campaigns that used a verified and digitally signed binary to bypass system defenses. CL0P was previously known for its use of the ‘double extortion’ tactic of stealing and encrypting victim data, refusing to restore victim access and publishing exfiltrated data on Tor via the CL0P^_-LEAKS website. In 2019, TA505 actors leveraged CL0P ransomware as the final payload of a phishing campaign involving a macro-enabled document that used a Get2 malware dropper for downloading SDBot and FlawedGrace. In recent campaigns beginning 2021, CL0P preferred to rely mostly on data exfiltration over encryption. (CISA)
Notable attacks or incidents: Beginning on May 27, 2023, CL0P Ransomware Gang, also known as TA505, began exploiting a previously unknown SQL injection vulnerability (CVE-2023-34362) in Progress Software’s managed file transfer (MFT) solution known as MOVEit Transfer. Internet-facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT, which was then used to steal data from underlying MOVEit Transfer databases. In similar spates of activity, TA505 conducted zero-day-exploit-driven campaigns against Accellion File Transfer Appliance (FTA) devices in 2020 and 2021, and Fortra/Linoma GoAnywhere MFT servers in early 2023. (CISA)
Notable threats: The operators behind Clop coerce their victims by sending out emails in a bid for negotiations. They also resort to more severe threats such as publicizing and auctioning off the stolen information on their data leak site “Cl0p^_-Leaks” if their messages are ignored. They have also gone to the extent of using quadruple extortion techniques, which have involved going after top executives and customers to pressure companies into settling the ransom. Having established itself well in the world of cybercrime, the Clop ransomware gang is deemed as a trendsetter for its ever-changing tactics, techniques, and procedures (TTPs). (Trend Micro)
Legal actions: Some of those suspected of running Clop were arrested in Ukraine in 2021, but the gang continues to run through other crew members. (SentinelOne)