What Shell, Hitachi, and Rubrik attacks reveal about Cl0p


Energy giants Shell and Hitachi, and cybersecurity company Rubrik, alongside many others, have recently fallen victim to ransomware syndicate Cl0p. Experts believe these fresh attacks reveal something about the cyber gang.

Russia-linked ransomware gang Cl0p has been busy lately. Over the past two weeks the gang supposedly breached scores of companies all over the world. Shell, Hatch Bank, Bombardier, Stanford University, Rubrik, Saks Fifth Avenue, and many others have found their names on the ransomware cartel’s dark-web blog over the past two weeks.

Cl0p’s score seems exceptionally high since the four-year-old gang appears to have been hibernating after law enforcement nabbed several high-ranking affiliates in 2021.

ADVERTISEMENT

And while some, like Bombardier, told Cybernews the exposed data comes from a 2021 breach, other companies admitted Cl0p penetrated their defenses, likely with a zero-day bug found on Fortra’s GoAnywhere managed file transfer.

“This type of supply-chain exploitation by a ransomware group is very concerning, particularly as it utilizes a zero-day vulnerability,” Ryan Platten, product marketing manager for cybersecurity company Binary Defense, told Cybernews.

“It was clearly a matter of time until a patch was made available for the vulnerability, which is likely the reason for Cl0p’s accelerated pace.”

Karim Hijazi said.

“Opportunistic exploit”

The use of the GoAnywhere zero-day flaw was confirmed by the cybercriminals themselves, adding the vulnerability was used to supposedly breach a whopping 130 organizations.

While criminals revealing their lock-picking tools might seem careless, it also may point to the tool being obsolete, says Karim Hijazi, the CEO of cybersecurity firm Cyligence.

“It would not surprise me to learn that once initial access had been established via the zero-day, a secondary stage persistence and reconnaissance implant would have been deployed. This might be the reason for their admittance to using the zero-day, since its utility was now no longer needed,” Hijazi told Cybernews.

The gang’s openness about the zero-day reveals something about the attack itself. Once Cl0p’s affiliates breached scores of companies using the bug, they snooped around inside the victim’s systems, moving laterally and collecting data.

ADVERTISEMENT

Given the alleged volume of breached companies, the attack either required close coordination between a significant number of affiliates or a lengthy operation carried out by a few dedicated members.

“It was clearly a matter of time until a patch was made available for the vulnerability, which is likely the reason for Cl0p’s accelerated pace,” Hijazi said.

Playing mind games

Cl0p’s recent spree differs from routine ransomware attacks, as the gang opted to forego the double-extortion tactic of encrypting and exfiltrating data. Instead, Cl0p simply took the data and focused on sending out ransom notes.

“With this type of supply-chain attack, we often see a high victim count early on, and the attacks can spread quickly. It’s not as common for ransomware groups to leverage zero-days, although this could be changing,” Platten explained.

The behavior brings out the opportunistic nature of the gang. As with any other organization, criminal enterprises need to direct human resources in the most efficient way.

Clop arrests
Ukrainian authorities seizing Cl0p affiliates' assets in 2021.

The zero-day exploit provided Cl0p with a significant number of victims, likely pushing the gang to focus solely on handling the large volume of ransom negotiations that would have arisen as a result. In other words, a zero-day exploit equals quick cash.

To buy themselves more time, the gang could have tried to leverage media attention. For example, revealing the tools behind the breach in the midst of an attack could have also served as a smokescreen. It’s hardly a surprise Cl0p spilled the beans only after a patch for the bug became available.

“The admittance is also a very useful misdirection tactic, where the victim’s security teams would be burdened with now hastily patching a likely already exploited vulnerability while the more persistent and stealthier implant is able to remain intact and undiscovered,” Hijazi explained.

ADVERTISEMENT

Well-positioned friends

While Cl0p’s use of zero-day is out of the ordinary, it’s not unique. According to Steven Erwin, incident response security consultant at cybersecurity company TrustedSec, ransomware gangs have used unknown vulnerabilities to breach companies in the past.

“Just recently, an ESXI vulnerability was used by a ransomware group to infect over 500 servers in a day. Even looking back to early 2021, the exchange bug, known as Hafnium, was leveraged for ransomware. And in July 2021, REvil leveraged Kaseya to gain access to over 1,000 companies,” Erwin said.

However, discovering zero-day bugs and devising ways to exploit them require time and considerable skill: two components ransomware affiliates often lack. Instead, cybercriminals leverage the underground criminal community to gain precious tools like zero-days bugs.

“Since the ransomware industry continues to evolve, and we are seeing more activity from Russian groups and can expect that to continue at least over the near term, it is a concern that we might see more supply-chain and zero-day attacks.”

Platten warned.

“It is more likely that the zero-day was brokered by another group or individual to Cl0p either via the dark web or as a specific request by Cl0p. Most of these ransomware gangs are purely operators and utilize the tooling developed by more skilled developers and vulnerability researchers,” Hijazi noted.

Erwin and Platten agree, adding that the use of GoAnywhere zero-day could point to increasing cooperation between Russia-based criminal groups. As we recently wrote, skilled malware developers are a desired rarity in the Russian cybercriminal underworld, with gang leaders seeking the masterminds behind the malware.

“Since the ransomware industry continues to evolve, and we are seeing more activity from Russian groups and can expect that to continue at least over the near term, it is a concern that we might see more supply-chain and zero-day attacks,” Platten warned.

Flashy comeback

Cl0p ransomware has been around since 2019, ages in the ever-changing ransomware landscape. The gang has also been at the forefront of the ransomware world, with estimated payouts reaching $500 million in November 2021.

ADVERTISEMENT

In the same year, Ukrainian law enforcement dealt the gang a major blow, leading to several arrests and the dismantling of the gang’s server IT infrastructure. The arrests eventually forced it to shut down operations through November 2021 and February 2022. However, the gang has been steadily recovering since then.

According to Erwin, it’s not unusual for ransomware groups to go dark for a while after getting busted. However, most of the time, groups disband or rebrand under a different name. Prominent examples of such behavior include Conti and its successor Black Basta, DarkSide and its successors BlackMatter, and BlackCat/ALPHV.

“The fact that Cl0p is back in action and at such a high rate of activity after the last crackdown is proof of how resilient many of these operations are and how difficult they are to completely shut down,” Erwin said.