A Deep Dive into CL0P Ransomware

CL0p is a notorious name on the ransomware scene, and with good reason. The gang’s members have been responsible for a series of high-profile attacks since security researchers first spotted their ransomware strain in the wild back in 2019.

Our internal data shows that CL0p continues to cause havoc and will likely supplant LockBit as the top ransomware gang in 2023. Here is a deep dive into the CL0p ransomware and the gang’s attacks.

CL0p Ransomware Operations and Technical Info

CL0p is the name given to a group of Russian-speaking threat actors who use a ransomware strain that appends the extension .CL0p onto encrypted system files. The gang’s members tweaked a previously used ransomware strain known as CryptoMix to create ransom.CL0p. The group is financially motivated and began its operations by targeting businesses earning at least $5 million in annual revenues.

Among the techniques used in traditional CL0p ransomware attacks are local file deletion, evading sandboxes, downloading tools from external URLs and halting system processes. Attacks commonly feature the Truebot tool, which collects and transmits information about the local system in addition to loading malicious shell code and other program modules. The popular adversary simulation tool Cobalt Strike helps CL0p threat actors expand their network access to multiple systems.

Variants of CL0p were initially only found on Windows systems, but the gang also developed a Linux variant toward the end of 2022, reflecting the diversity of endpoint operating systems used by modern businesses. In an interesting, flawed technical glitch, security researchers noted that the Linux version’s encryption is easily reversible using a simple decryptor.

Phishing campaigns were the primary initial access vector for most of CL0p’s high-profile attacks from 2019 to 2022. These campaigns combined both mass phishing and more targeted spear phishing emails. A pivot toward targeting zero-day vulnerabilities as the initial access vector was behind two of the most high-profile cyberattacks of 2023 (more on those later).

Early victims of CL0p ransomware attacks included German flavor and fragrance developer Symrise AG, the University of Maryland, Flagstar Bank, U.S. pharma company ExecuPharm and Stanford University.

Wait, Weren’t CL0p Members Arrested?

When a joint law enforcement operation in June 2021 between Ukrainian and U.S. authorities arrested multiple CL0p gang members, many in the cybersecurity community assumed this spelled the end of the gang’s operations. However, just two days after the arrests, new victims were listed on the gang’s dark web leak site.

Further investigations by security intelligence company Intel471 found that the law enforcement sting mostly hit the money laundering side of CL0p’s operations. The gang’s core members were not impacted, which makes sense given that CL0p continues to be involved in high-profile cyberattacks.

There does appear to have been a shift in objectives toward mainly data exfiltration without installing ransomware. Perhaps ransomware gangs like CL0p now feel it’s more profitable to simply focus on stealing data and holding companies ransom rather than installing their malicious files on multiple endpoints.

CL0p’s 2023 Attacks

After a significant downturn in CL0p activity in 2022, a security researcher noted CL0p emerging again with the Linux variant of its ransomware, targeting Columbia’s La Salle University and U.K. water supplier South Staffordshire Water toward the end of the year. The uptick in CL0p gang activity continued with two major cyberattacks in the first half of 2023. Here is an overview of CL0p’s 2023 attacks.

GoAnywhere

GoAnywhere MFT is a managed file-sharing solution companies use to securely exchange data between systems, employees and partners. Given the nature of this tool, it makes sense as a cyberattack target because compromising it could provide threat actors with access to sensitive data and fewer hurdles to jump through. That’s exactly what happened when CL0p gang members exploited a zero-day remote code execution vulnerability in the tool’s administrative console to exfiltrate data.

Following the disclosure of this vulnerability, CL0p gang members claimed they’d used it to steal sensitive data from 130 companies. Among the confirmed companies impacted was the fintech banking platform Hatch Bank, which had data on 140,000 customers stolen. Another victim, healthcare giant Community Health Systems (CHS), had health and personal info on one million patients stolen.

An interesting additional detail was that most companies that used GoAnywhere were automatically protected because the admin console of the tool was not accessible via the public internet. Security researchers conducted scans for exposed GoAnywhere instances after news emerged about the zero-day flaw, and they found 151 exposed admin consoles, consistent with CL0p’s reported 130 companies breached.

MOVEit

MOVEit is a corporate file-sharing solution with many customers in the United States. In a further example of the far-reaching impact of CL0p’s contemporary tactics, the group found and exploited a zero-day flaw in MOVEit. The attack, which made global news headlines in June 2023, impacted up to 400 organizations and 20 million+ individuals.

The vulnerability here was an SQL injection flaw that enabled CL0p actors to hit MOVEit web applications with malicious web shell code. SQL injection flaws allow hackers to insert malicious SQL commands into input fields to trick the underlying database into executing unintended commands. Exploiting this flaw facilitated access to and retrieval of data stored in the MOVEit application’s databases at targeted companies. High-profile victims included the BBC, British Airways, the U.S. Department of Energy, PwC and Deutsche Bank.

After stealing the data, CL0p resorted to its usual process of listing affected companies and demanding ransom payments to avoid having stolen data published on the dark web. Interestingly, at least 11 companies, including contracting company Maximus, have been delisted after the MOVEit breach. The delisting of these companies is a strong indicator that they caved to the ransom demands.

CL0p Attack Mitigation

A recent trend toward targeting zero-day vulnerabilities in file-sharing tools doesn’t mean companies should neglect the threat of traditional CL0p ransomware attacks. All the usual advice applies for CL0p ransomware as with any other ransomware variant or gang:

• Maintain a robust incident response plan to act quickly when incidents occur.
• Apply least privilege principles to all applications, functions and users, especially PowerShell, which should only be usable when needed by admins, ideally on a case-by-case basis.
• If you use remote desktop protocol (RDP) for remote employee access, switch on multifactor authentication for all accounts.
• Regularly back up your data and keep copies offline, away from your primary network.
• Stay on top of patch management so that apps, operating systems and firmware stay updated with the latest security improvements.
• Split your network into segments so that if ransomware infiltrates one part, it doesn’t necessarily have access to everything.
• Regularly audit your web applications and interfaces to check that admin consoles aren’t publicly accessible online.
• Use advanced endpoint detection and response solutions with behavior-based detection features to identify and stop threats.
• Most ransomware attacks begin with phishing emails, including those by CL0p. Educate employees on how to recognize and avoid phishing emails. Regularly run simulated phishing tests to keep them vigilant.