Free Trial
|
Login
Free Trial
Login
Platform

Platform

I want to

report
WHITEPAPER Picus Red Report 2024
white paper
DATASHEET Security Validation Platform
Use Cases

Use Cases

Frameworks

Group
WHITEPAPER Building a Robust Defense-in-Depth Strategy with Breach and Attack Simulation (BAS)
webinar
ON-DEMAND Top Ten ATT&CK Techniques: The Rise of ‘Hunter-Killer’ Malware
Research

RESEARCH

LEARNING

report (1)
REPORT 2024 Gartner® Peer Insights™ Voice of the Customer for Breach and Attack Simulation (BAS) Tools
report (1)
REPORT Blue Report: Effective Threat Exposure Management
Resources

RESOURCES

LEARNING

Group
WHITEPAPER Double Your Threat Blocking in 90 Days
webinar
UPCOMING WEBINAR Maximizing Cybersecurity with GenAI
Company

COMPANY

PARTNERS

webinar
UPCOMING WEBINAR Maximizing Cybersecurity with GenAI
Data sheet
DATASHEET The Pioneer of Breach & Attack Simulation
GET A DEMO

Clop Ransomware Gang

By Huseyin Can YUCEEL & Picus Labs   August 22, 2022   Ransomware

Clop ransomware was first observed in February 2019 in an attack campaign run by TA505. Since then, it has become one of the most used ransomware in the Ransomware-as-a-Service (RaaS) market until the arrest of suspected Clop members in June 2021. Clop ransomware group uses the double extortion method and extorted nearly $220,000 on average ransom payment from its victims in 2021 Q1. Healthcare is the most targeted industry by Clop ransomware.
Metadata

Associated Groups

Successor of CryptoMix ransomware

Aliases - Cl0p

Affiliates - TA505, FIN11, UNCA2546, UNCA2582

Associated Country

Russia

First Seen

February 2019

Target Sectors

Aviation, Banking, Energy, Financial Services, Government, Healthcare, Information Technology, Manufacturing, Retail,  Technology, Telecommunications

Target Countries

United States, Australia, Brazil, Canada, Germany, Hong Kong, India, Mexico, Philippines, Singapore, Spain, Sweden, United Kingdom
Modus Operandi

Business Models

Ransomware-as-a-service (RaaS), Multiple Extortion

Extortion Tactics

File Encryption

Data Leakage

Threaten to Sell Stolen Information

Threatening Top Executives and Customers

Initial Access Methods

Exploit Public-Facing Application

Phishing

External Remote Services

Valid Accounts (Stolen Credentials)

Impact Methods

Data Encryption

Data Exfiltration
Exploited Applications and Vulnerabilities by Clop

Application

Vulnerability

CVV

CVSS

Accellion FTA

SQL Injection

CVE-2021-27101

9.8 Critical

Accellion FTA

OS Command Execution

CVE-2021-27102

7.8 High

Accellion FTA

SSRF

CVE-2021-27103

9.8 Critical

Accellion FTA

OS Command Execution

CVE-2021-27104

9.8 Critical

Solarwinds Serv-U

Remote Code Execution

CVE-2021-35211

10 Critical
Utilized Tools and Malware by Clop

MITRE ATT&CK Tactic

Tools

Execution

Get2 Loader

Persistence

Cobalt Strike

Defence Evasion

SDBOT

Discovery

FlawedAmmyy RAT

SDBOT

Lateral Movement

TinyMet

Exflitration

DEWMODE

Impact

Clop ransomware

  • [1] “Get2.” [Online]. Available: https://attack.mitre.org/software/S0460/. (Accessed: Jul. 07, 2022)

  • [2]       K. Arhart, “Cobalt Strike,” Cobalt Strike Research and Development, Aug. 19, 2021. https://www.cobaltstrike.com/ (accessed Jul. 06, 2022).

  • [3] “SDBbot.” [Online]. Available: https://attack.mitre.org/software/S0461/. (Accessed: Jul. 07, 2022)

  • [4] “FlawedAmmyy.” [Online]. Available: https://attack.mitre.org/software/S0381/. (Accessed: Jul. 07, 2022)

  • [5] Microsoft Corporation, “Trojan:Win32/TinyMet.” [Online]. Available: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/TinyMet&ThreatID=2147758560.(Accessed: Jul. 07, 2022)

  • [6] “Backdoor.PHP.DEWMODE.A.” [Online]. Available: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/backdoor.php.dewmode.a/. (Accessed: Jul. 07, 2022)

  • [7] F. Fkie, “Clop (Malware Family).” [Online]. Available: https://malpedia.caad.fkie.fraunhofer.de/details/win.clop. (Accessed: Jul. 07, 2022)

Related Content

August 22, 2022   •   Ransomware

Conti Ransomware Group

READ MORE

August 22, 2022   •   Ransomware

BlackCat Ransomware Gang

READ MORE

August 22, 2022   •   Ransomware

Snatch Ransomware Gang

READ MORE

August 22, 2022   •   Ransomware

Vice Society Ransomware Group

READ MORE

DISCOVER
MORE RESOURCES

AvosLocker Ransomware Group

Read More

Vice Society Ransomware Group

Read More

Black Basta Ransomware Gang

Read More