Clop Ransomware Attack: Evolution of a Threat

Clop Ransomware Attack

Clop ransomware, initially discovered in February 2019, has become a more prevalent and pronounced threat in the current years… As the vulnerabilities in the customary services we use daily required further addressal, the Clop ransomware leveraged these flaws and shifted towards much more sophisticated methods from its initial iteration.

Clop Ransomware: What It Truly Is and How It Works

Clop ransomware is a type of malware specifically designed to encrypt data on a victim's system and demand a ransom payment in exchange for the decryption key. It belongs to the CryptoMix ransomware family and is known for targeting large organizations and enterprises rather than individual users. The name "Clop" comes from the Russian word "клоп," meaning "bug."

The Core Principles of Clop Ransomware

• Encryption Algorithms: It relies on strong encryption methods, mainly AES (Advanced Encryption Standard) and RSA (Rivest-Shamir-Adleman), to render victims' files inaccessible.
• Double Extortion Tactics: Threatens to leak stolen sensitive information if the ransom is not paid in the due time provided by the attacker.
• Targeted Attacks: Focuses on high-value organizations rather than indiscriminate mass attacks, often exploiting known vulnerabilities or weak security measures.

How Does Clop Ransomware Work?

1. Reconnaissance

The attacker gathers as much information about its target as possible before moving onto the initial access phase. They conduct open-source intelligence (OSINT) to identify email addresses, job roles, or exposed systems. They scan the victim’s networks for any known vulnerabilities, as well as identify their software version in order to exploit unpatched vulnerabilities and gain access to sensitive data in further stages.

2. Initial Access

Clop operators often adopt practices such as phishing emails, malicious attachments, or exploitation of vulnerabilities in software such as MOVEit Transfer, RDP, or VPNs, to name a few of the public-facing applications. For instance, in 2023 Clop exploited a vulnerability in the MOVEit file transfer software (CVE-2023-34362) to infiltrate systems.

3. Execution

1. Once Clop ransomware gains initial access to the victim's system, the ransom payload is executed via PowerShell by exploiting scripts delivered through phishing or unpatched vulnerabilities.
2. This phase also involves disabling antivirus or any such security mechanisms initially put forth by the target.
3. If the initial system is not critical, Clop uses tools like PsExec or Windows Management Instrumentation (WMI) to propagate and execute the ransomware across other systems in the network.

4. Data Exfiltration

Before the sensitive files are encrypted, Clop initiates data exfiltration, which extorts and transfers data to attacker-controlled servers. They often integrate custom tools within its payload to perform a stealthy operation.

5. File Encryption

After exfiltrating sensitive information, Clop encrypts files using AES encryption. The decryption key is further secured with RSA encryption, making it virtually impossible to decrypt the files without paying the ransom.

6. Ransom Note

Once the encryption process is complete, Clop ransomware delivers a ransom note (e.g., README.txt or ClopReadMe.txt) that includes the following:

• Instructions for contacting the attackers, typically via email or Tor-based websites.
• Threats of data exposure, warning victims that their sensitive information will be leaked if the ransom remains unpaid.

This double extortion tactic employs psychological pressure on its victim, compelling them to comply with the attacker's demands in fear of sensitive data exposure.

How To Stay Protected From Clop Ransomware Attacks

• Regular patches and updates for software, mainly MOVEit, VPNs, and RDP, must be enforced.
• Verify the E-mail sender’s credibility before accessing the attached links.
• Downloading applications from official sources must be made mandatory, lest attackers leverage the vulnerabilities prevalent in third-party applications.
• Limit access to critical systems as much as possible, so sensitive data remains immutable during security incidents.
• Enforce Multi-Factor Authentication to protect access to critical systems like VPNs, RDP (Remote Desktop Protocol), and admin accounts from unauthorized access.

CVE List For Clop Ransomware

• CVE-2024-50623
• CVE-2024-55956
• CVE-2023-34362
• CVE-2020-1472
• CVE-2021-26855
• CVE-2021-21972
• CVE-2019-0708
• CVE-2018-7600
• CVE-2022-22965
• CVE-2022-41082
• CVE-2017-0144