mega-menu-burger mega-menu-close

Clop Ransomware Gang

By Huseyin Can YUCEEL & Picus Labs   August 22, 2022   Ransomware

Clop ransomware was first observed in February 2019 in an attack campaign run by TA505. Since then, it has become one of the most used ransomware in the Ransomware-as-a-Service (RaaS) market until the arrest of suspected Clop members in June 2021. Clop ransomware group uses the double extortion method and extorted nearly $220,000 on average ransom payment from its victims in 2021 Q1. Healthcare is the most targeted industry by Clop ransomware.

Metadata

Associated Groups

Successor of CryptoMix ransomware

Aliases - Cl0p

Affiliates - TA505, FIN11, UNCA2546, UNCA2582

Associated Country

Russia

First Seen

February 2019

Target Sectors

Aviation, Banking, Energy, Financial Services, Government, Healthcare, Information Technology, Manufacturing, Retail,  Technology, Telecommunications

Target Countries

United States, Australia, Brazil, Canada, Germany, Hong Kong, India, Mexico, Philippines, Singapore, Spain, Sweden, United Kingdom

Modus Operandi

Business Models

Ransomware-as-a-service (RaaS), Multiple Extortion

Extortion Tactics

File Encryption

Data Leakage

Threaten to Sell Stolen Information

Threatening Top Executives and Customers

Initial Access Methods

Exploit Public-Facing Application

Phishing

External Remote Services

Valid Accounts (Stolen Credentials)

Impact Methods

Data Encryption

Data Exfiltration

Exploited Applications and Vulnerabilities by Clop

Application

Vulnerability

CVV

CVSS

Accellion FTA

SQL Injection

CVE-2021-27101

9.8 Critical

Accellion FTA

OS Command Execution

CVE-2021-27102

7.8 High

Accellion FTA

SSRF

CVE-2021-27103

9.8 Critical

Accellion FTA

OS Command Execution

CVE-2021-27104

9.8 Critical

Solarwinds Serv-U

Remote Code Execution

CVE-2021-35211

10 Critical

Utilized Tools and Malware by Clop

MITRE ATT&CK Tactic

Tools

Execution

Get2 Loader

Persistence

Cobalt Strike

Defence Evasion

SDBOT

Discovery

FlawedAmmyy RAT

SDBOT

Lateral Movement

TinyMet

Exflitration

DEWMODE

Impact

Clop ransomware

  • [1] “Get2.” [Online]. Available: https://attack.mitre.org/software/S0460/. (Accessed: Jul. 07, 2022)

  • [2]       K. Arhart, “Cobalt Strike,” Cobalt Strike Research and Development, Aug. 19, 2021. https://www.cobaltstrike.com/ (accessed Jul. 06, 2022).

  • [3] “SDBbot.” [Online]. Available: https://attack.mitre.org/software/S0461/. (Accessed: Jul. 07, 2022)

  • [4] “FlawedAmmyy.” [Online]. Available: https://attack.mitre.org/software/S0381/. (Accessed: Jul. 07, 2022)

  • [5] Microsoft Corporation, “Trojan:Win32/TinyMet.” [Online]. Available: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/TinyMet&ThreatID=2147758560.(Accessed: Jul. 07, 2022)

  • [6] “Backdoor.PHP.DEWMODE.A.” [Online]. Available: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/backdoor.php.dewmode.a/. (Accessed: Jul. 07, 2022)

  • [7] F. Fkie, “Clop (Malware Family).” [Online]. Available: https://malpedia.caad.fkie.fraunhofer.de/details/win.clop. (Accessed: Jul. 07, 2022)

Subscribe

Keep up to date with latest blog posts