The Clop ransomware appends the “.ClOP” (“Clop” spelled with a small “L”) extension to the files it encrypts. Researchers also discovered that Clop targets a victim’s entire network instead of just individual computers. This is made possible by hacking into the Active Directory (AD) server before the ransomware infection to determine the system’s Group Policy. This allows the ransomware to persist in the endpoints even after incident responders have already cleaned them up.
Previous attacks by the TA505 group saw the delivery of the Clop malware as the final stage of its payload in massive phishing campaigns. The malicious actors would send spam emails with HTML attachments that would redirect recipients to a macro-enabled document such as an XLS file used to drop a loader named Get2. This loader facilitates the download of various tools such as SDBOT, FlawedAmmyy, and Cobalt Strike. Once the malicious actors intrude into the system, they proceed to reconnaissance, lateral movement, and exfiltration to set the stage for deployment of the Clop ransomware.
The operators behind Clop coerce their victims by sending out emails in a bid for negotiations. They also resort to more severe threats such as publicizing and auctioning off the stolen information on their data leak site “Cl0p^_-Leaks” if their messages are ignored. They have also gone to the extent of using quadruple extortion techniques, which have involved going after top executives and customers to pressure companies into settling the ransom.
Having established itself well in the world of cybercrime, the Clop ransomware gang is deemed as a trendsetter for its ever-changing tactics, techniques, and procedures (TTPs). Indeed, the group’s Kiteworks FTA exploits set a new trend as these significantly pulled up the average ransom payments for the first quarter of 2021. A report that cited Coveware’s findings revealed that the average ransomware payments significantly went up to US$220,298, which is an increase of 43%. It also said that the median ransom payment increased sharply to US$78,398 from US$49,459, which translates to a 60% hike.
The threat actors behind the Clop ransomware use an established network of affiliates to gain initial access and send a large volume of spear-phishing emails to employees of an organization to induce infection. The malicious actors use a compromised RDP to penetrate the system either by attempting to brute-force passwords or by exploiting some known vulnerabilities. The following are the Kiteworks FTA zero-day exploits that they used in early 2021:
The ransomware group was reported to have exploited the SolarWinds Serv-U product vulnerability tagged as CVE-2021-35211.
Clop’s ransomware toolkit contained several malware types to harvest information:
At this stage, the malware scans for the workgroup information of the machine to distinguish personal machines from enterprise ones. If the workgroup is the default by value, the malware will stop malicious behavior and delete itself. If the AD server domain is returned, a machine gets classified as a corporate machine. The malware attempts to hack the AD server using Server Message Block (SMB) vulnerabilities and using the added downloaded hacking tool Cobalt Strike. Cobalt Strike is a known tool for post-exploitation that has been previously connected to other ransomware families. Meanwhile, TinyMet is used to connect the reverse shell to the C&C; server. The AD server admin account is used to propagate the Clop ransomware to internal network machines. As for SDBOT, it uses application shimming to preserve the continuity of the attack and to avoid detection.
One attack was observed as using DEWMODE to exfiltrate stolen data.
The ransomware payload that terminates various Windows services and processes proceeds to its encryption routine.
|Initial Access||Execution||Persistence||Privilege Escalation||Defense Evasion||Discovery||Lateral Movement||Collection||Command and Control||Exfiltration||Impact|
T1566.001 - Phishing: Spear-phishing attachment
Arrives via phishing emails that have Get2 Loader, which will download the SDBot and FlawedAmmy RAT
T1190 - Exploit public-facing application
T1078 - Valid accounts
T1106 - Native API
T1059 - Command and scripting interpreter
T1204 - User executionUser execution is needed to carry out the payload from the spear-phishing link/attachments
T1547 - Boot or logon autostart execution
Creates registry run entries to execute the ransomware as a service
T1543.003 - Create or modify system process: Windows service
T1484.001 - Domain Policy modification: Group Policy modification
Uses stolen credentials to access the AD servers to gain administrator privilege and attack other machines within the network
T1068 - Exploitation for privilege escalation
T1574 - Hijack execution flow
T1036.001 - Masquerading: invalid code signature
T1562.001 - Impair defenses: disable or modify tools
T1140 - Deobfuscate/Decode files or information
T1070.004 - Indicator removal on host: file deletion
T1055.001 - Process injection: DLL injection
T1202 - Indirect command execution
T1070.001 - Indicator removal on host: clear Windows event logs
T1083 - File and directory discovery
T1018 - Remote system discovery
T1057 - Process discovery
T1082 - System information discovery
T1012 - Query registry
T1063 - Security software discovery
T1570 - Lateral tool transfer
T1021.002 - Remote services: SMB/Windows admin shares
T1005 - Data from local system
T1071 - Application Layer Protocol
T1567 - Exfiltration over web service
T1486 - Data encrypted for impact
T1490 - Inhibit system recovery
Security teams can watch out for the presence of the following malware tools and exploits that are typically used in Clop attacks:
|Initial Entry||Execution||Discovery||Privilege Escalation||Lateral Movement||Command and Control||Defense Evasion||Exfiltration|
Despite last year’s arrests of alleged members of the Clop ransomware cartel in Ukraine, our detections of this ransomware indicate that the group is still a potential threat and might strike anytime. Moreover, the operators behind Clop are known to regularly change their TTPs, which means that expecting them to sharpen the proverbial saw is par for the course. It is therefore best to stay vigilant and armed with the knowledge that ransomware operators are always waiting for a chance to pounce on their next victim.
To protect systems against similar threats, organizations can establish security frameworks that allocate resources systematically for establishing a strong defense strategy against ransomware.
Here are some best practices that organizations can consider:
A multilayered approach can help organizations guard the possible entry points into the system (endpoint, email, web, and network). Security solutions that detect malicious components and suspicious behavior could also help protect enterprises.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.