Cl0p study sheds light on rising ransom gang


Cl0p ransomware gang may have garnered a lot of attention with this year’s high-profile string of MOVEit hacks, but now it’s also on the radar of the cybersecurity industry. FalconFeeds.io gives Cybernews its take on the prolific Russian outfit.

“Among the numerous ransomware families that have wreaked havoc on businesses, institutions, and individuals alike, Cl0p stands out for its advanced techniques and widespread impact,” says Mayank Sahariya, cyber threat intelligence researcher at FalconFeeds.io.

As is often the case, Cl0p’s name can refer both to the gang itself and the type of ransomware it operates as a service. The cybercriminal group is thought to have originated in 2019 as an offshoot of another profit-motivated gang called FIN11, while the malware program it uses is descended from the earlier CryptoMix.

“The CryptoMix ransomware, which is also connected to FIN11, looks to be an ancestor (or version) of the Cl0p malware,” says Sahariya. “In addition, it is said that CryptoMix is a cross between the ransomware strains CryptXXX and CryptoWall.”

FIN11 is the equivalent of illustrious heritage in the cybercriminal world, as the group has been linked to high-profile ransomware attacks such as SolarWinds, PaperCut, and GoAnywhere.

Ever-evolving extortion

Ransomware gangs typically make their money through encrypting target organization data beyond use and then extorting their victims to get it back. In Cl0p’s case, its methodology in this area has escalated steadily since April 2020 when it published data belonging to a pharmaceutical company - a technique known as “double extortion.”

“The people behind Cl0p published information about a pharmaceutical business on their leak site, marking their initial entry into the double extortion scheme,” says Sahariya. “The list of victims kept by CL0P's leak site has significantly expanded since the program's introduction. The gang's extortion methods have advanced with time and have consequently gotten more damaging.”

He isn’t wrong. This year alone, Cl0p has managed to infiltrate 377 target organizations, according to Sahariya’s own research, while the darkfeeds.io ransomware tracker puts the lifetime number of leak victims for the gang at 494 at the time of writing.

“One of the most sinister aspects of Cl0p is its practice of exfiltrating sensitive data before encrypting it,” says Sahariya. “This stolen data is then used as leverage in a double extortion scheme, where victims are threatened with the exposure of their data unless they pay the ransom.”

Cl0p is also notable for a new extortion strategy that involves leaking data via torrents, rather than dedicated websites as was usually the case before.

“In order to leak data obtained from some MOVEit data theft victims, Cl0p had recently turned to building transparent websites,” explains Sahariya. “However, companies and law enforcement are more likely to take down such domains. In search of an alternative, Cl0p has now chosen to distribute the files through torrents.”

This entails setting a website on protected browser Tor featuring instructions for using torrent “clients to obtain the stolen material.” Sahariya lists prestigious victims including the Boston Globe, PwC, Ernst & Young as among dozens of targeted entities to have fallen foul of this tactic.

"The gang often initiates attacks through phishing emails that contain malicious attachments or links."

Sahariya

Attack methodology

When it comes to infiltrating targets, a first line of attack employed by Cl0p is commonly phishing or social engineering, by which it seeks to dupe employees into giving it access to computer systems.

“The gang often initiates attacks through phishing emails that contain malicious attachments or links,” says Sahariya. “These emails are crafted to appear legitimate, fooling unsuspecting recipients into triggering the ransomware payload.”

Once again, it appears to have taken its cue in this regard from its predecessor FIN11, which is also known in cybersecurity circles as TA505.

As well as that, “CL0P takes advantage of unpatched software vulnerabilities to gain unauthorized access to systems. Once inside, they exploit their privileges to move laterally through the network.”

Cl0p has also been associated with the Cobalt Strike tool, originally intended as a team for penetration testers but unfortunately often misused by cybercriminals as well.

Cl0p pretends to be cordial and professional in ransom note
Cl0p pretends to be cordial and professional in ransom note to victims

Professional crooks

To gain the attention of its victims, Cl0p uses the kind of language that has become all too typical of ransomware gangs, coating its rapacious and threatening notes with a veneer of professionalism.

“Typically, ransom notes are saved to each folder that contains encrypted files and are given attention-grabbing file names like Cl0pReadMe.txt or README_README.txt to draw the victim's attention,” says Sahariya. “The ransom letter often includes victim-specific information on exfiltrated data as well as a warning that non-compliance with the group's demands will result in data being published to their Tor-based leak site.”

Despite this, the gang tends to sign off with cuddly-feely sobriquets such as “friendly Cl0p” while insisting it operates under “warranty.”

“Our team has been around for many years,” reads one ransom note cited by Sahariya. “We have not even one time do not as we promise. [sic] When we say data is delete it is, ‘cause we show video proof.”

Corporations beware

As one might guess, most of Cl0p’s victims to date are based in the US, with the UK, Canada, and Germany also targeted multiple times. The industries most severely affected by its attacks this year are financial services, information technology, insurance, education, banking, and software development, Saharyia adds.

FalconFeeds.io urges potential targets to invest in robust cybersecurity measures, including regular software updates, specialized training for workers, segregated networks to stymie lateral movement by threat actors within systems, and regularly backing up data.

“The Cl0p ransomware has firmly established itself as a formidable adversary in the cybercrime landscape, causing significant financial losses and reputational damage to its victims,” says Sahariya. “As technology evolves, so too do the tactics of cybercriminals, making it imperative for organizations and individuals to stay vigilant and adopt robust cybersecurity practices.”