In recent years, the Clop ransomware gang has emerged as one of the most prolific and notorious cybercriminal organizations. Employing sophisticated techniques and constantly evolving their strategies, the group has successfully targeted high-profile organizations worldwide. This article aims to provide an informative profile of the Clop ransomware gang, detailing its history, operations, and recent activities.
History of Clop
Clop originated as a variant of the CryptoMix ransomware family and gained prominence in February 2019 when the threat group known as TA505 employed it in a large-scale spear-phishing email campaign. Operating as a ransomware-as-a-service (RaaS) model, Clop was used by a Russian-speaking group and disguised its malicious intent by utilizing verified and digitally signed binaries. This approach allowed the ransomware to evade security detection effectively.
In 2020, the financially motivated hacking group FIN11 started deploying Clop ransomware, leveraging zero-day vulnerabilities in the Kiteworks file transfer appliance. These attacks involved the use of a specific web shell called “DEWMODE” for exfiltrating stolen information. Clop’s operators also began implementing double extortion schemes, where they threatened to publicize and auction off stolen data if their demands were not met.
Clop’s Operations
The Clop ransomware gang exhibits a range of sophisticated techniques in its operations. Unlike other ransomware variants, Clop targets entire networks rather than individual computers, gaining access to the Active Directory (AD) server to persistently infect endpoints. Previous attacks by the group involved large-scale phishing campaigns, utilizing spam emails and malicious attachments to deliver the Clop malware. These attacks often involved various tools, such as SDBOT, FlawedAmmyy, and Cobalt Strike, which facilitated reconnaissance, lateral movement, and exfiltration of data before the deployment of the ransomware.
The group utilizes multiple tactics to coerce victims, including negotiation emails and threats of publicizing stolen information on their dedicated leak site, “Cl0p^_-Leaks.” Clop has even employed quadruple extortion techniques, targeting top executives and customers to exert additional pressure on companies to pay the ransom. By constantly evolving its tactics, Clop has set new trends in the world of cybercrime.
Recent Activities
While the arrests of six suspected Clop members in Ukraine in June 2021 dealt a significant blow to the group, their criminal activities continued throughout 2021 and 2022. However, recent data suggests a slowdown in ransomware deployments, indicating a shift towards data stealing and extortion. Law enforcement and private partners managed to seize parts of Clop’s infrastructure and takedown money laundering channels used for cryptocurrency payments.
In May 2023, the Clop gang exploited critical zero-day vulnerabilities in the MOVEit Transfer and MOVEit Cloud file transfer software, targeting numerous private and public organizations. These attacks focused on stealing sensitive data and extorting companies rather than encrypting systems. The group used a combination of tactics, including data leak threats and demands for negotiations, to pressure victims into complying with their demands.
The Clop ransomware gang has established itself as a formidable threat in the cybersecurity landscape. With a history of high-profile attacks and constantly evolving tactics, the group continues to pose a significant risk to organizations worldwide. Enterprises must remain vigilant and adopt proactive cybersecurity measures to mitigate the threats posed by ransomware groups like Clop. Collaborative efforts between law enforcement, private partners, and cybersecurity professionals are crucial in dismantling such criminal organizations and safeguarding sensitive data from exploitation.
