CL0P growth 2023
Emerging in early 2019, CL0P was first introduced as a more advanced version of its predecessor, the “CryptoMix” ransomware, created by its owner CL0P ransomware, a cyber criminal organization. Over the years the group has remained active with significant campaigns from 2020 to 2022. But in 2023 the CL0P ransomware gang has reached new heights and has become one of the most active and successful ransomware organizations in the world.
Exploit countless vulnerabilities and exploits for some of the largest organizations in the world. The alleged Russian gang took its name from the Russian word “klop,” which translates to “bug” and is often written as “CLOP” or “cl0p.” Once victims’ files are encrypted, “.clop” extensions are added to their files.
CL0P methods and tactics
The CL0P ransomware group (closely associated with the TA505. FIN11 and UNC2546 cybercrime groups) was renowned for its extremely destructive and aggressive campaigns, which targeted large organizations around the world throughout 2023. The ransomware group “big gamehunter” has used the “steal, encrypt and leak” method on numerous large companies with a specific interest in those operating in the financial, manufacturing and healthcare sectors.
CL0P uses a Ransomware-as-a-Service (RaaS) model, often employing the “steal, encrypt, and leak” tactics common worldwide among many ransomware affiliates. If victims fail to comply with the requests, their data is published via the Tor-hosted data leak site known as “CL0P^_-LEAKS”. Like many other Russian-speaking cyber gangs, their ransomware was unable to act on devices located in the CIS (Commonwealth of Independent States).
LockBit also works as a Ransomware-as-a-service (RaaS) model.
‘In short, this means that affiliates make a deposit to use the tool, then split the ransom payment with the LockBit group. It has been reported that some affiliates receive a share of up to 75%. The operators of LockBit have posted advertisements for their affiliate program on Russian-language criminal forums stating that they will not operate in Russia or any CIS country, nor will they work with English-speaking developers unless a Russian-speaking “guarantor” vouch for them.’ – “The prolificacy of the LockBit ransomware”
SecurityHQ’s Global Threat Landscape 2024 prediction talked about CL0P’s resurgence in the ransomware landscape and one to watch in 2024.
3rd most prolific group of 2023
After examining data from “CL0P^_-LEAKS”, SecurityHQ’s threat intelligence team was able to gather data on various cybercriminal gangs around the world and help visualize the extent of the increase in CL0P’s activity during 2023. The gangs’ transition from remaining outside of the major active ransomware groups in 2022, to securing the third most prolific group in 2023 is something that should not be taken lightly.
 |
| ©2024 SecurityHQ, SecurityHQ data on threat groups in 2023 |
Latest activities
Over a period of one month in March 2023, the CL0P ransomware group attempted to exploit the “Fortra GoAnywhere MFT” zero-day vulnerability. Tagged as CVE-2023-0669, attackers were able to exploit unpatched versions of the Internet-facing software to gain RCE. The vulnerability was patched the next day, but the group had already successfully targeted over 100 organizations.
Subsequently, in April, Microsoft was able to identify the involvement of two ransomware groups (CL0P and LockBit) that exploited the CVE-2023-27350 and CVE-2023-27351 traces. Contained within the print management software known as PaperCut, which is a common tool used by all large printing companies in the world. The groups managed to exploit this vulnerability, successfully distributing the infamous TrueBot malware used many months earlier. A perfect target for companies like CL0P, whose tactics have shifted from not only file encryption, but also data theft to further extort organizations. This worked perfectly as Papercut has a “Print Archiving” tool that saves any jobs/documents sent via their server.
The group’s most important event occurred in May; the widely used MOVEit Transfer (CVE-2023-24362) and MOVEit Cloud Software (CVE-2023-35036) were actively exploited via an unknown SQL injection vulnerability. CL0P was able to exploit vulnerable networks and systems extremely quickly, extracting sensitive data from some of the world’s largest organizations (BBC, Ernst Young, PwC, Gen Digital, British Airways, TFL, Siemens and many more). The group said it had wiped all data related to governments, militaries and hospitals, but as several US government agencies were hit by the MOVEit breach, a $10 million bounty has been set up that could help link them to an agent foreigner.
Lasting impact of quadruple extortion
The group not only played a major role in the influx of ransomware activity throughout 2023, but was almost single-handedly responsible for the dramatic increase in average ransomware payouts.
CL0P operators are renowned for going to great lengths to get their message across. After publicly showing proof of the organization’s breach, posting the data on the leak site, and ignoring its messages, they will directly approach stakeholders and executives to ensure their demands are met. This is known as quadruple extortion.
From single to double, double to triple and now progression to quadruple extortion, it’s fair to say that ransomware gangs won’t stop until they get what they came for. Just like double or triple extortion, quadruple extortion adds a new layer that comes in the form of two main routes.
- The first is DDoS attacks, which aim to block an organization’s online presence until the ransom is paid.
- Harassment of various stakeholders (customers, media, employees, etc.) increases pressure on decision makers.
Best defense against CL0P Defense group against CL0P
To defend against CLOP throughout 2024, SecurityHQ recommends
- Pay attention to your landscape and your environment. Find out what is normal for your environment and what is not so you can act quickly.
- Develop and review your incident response plan, with clear steps outlined so actions are set in case of a worst-case scenario.
- Ensure threat monitoring is in place to quickly identify threats.
- Review current cybersecurity practices to ensure best practices are used.
- Those most at risk, for example, those operating in sectors specifically targeted by CLOP (Finance, Manufacturing, Healthcare) or those holding sensitive data, should work with an MSSP to ensure best security practices are in place .
Threat intelligence for the future
SecurityHQ’s Threat Intelligence team is a cohesive global unit dedicated to Cyber Threat Intelligence. Their team is focused on researching emerging threats and monitoring the activities of threat actors, ransomware groups, and campaigns to ensure they stay ahead of potential risks. In addition to investigative work, the intelligence team provides actionable threat intelligence and research, enriching the understanding of SecurityHQ customers around the world. United by a common commitment, SecurityHQ’s Threat Intelligence team provides the intelligence you need to confidently navigate the complexities of the cybersecurity threat landscape.
To learn more about these threats, talk to an expert here. Or, if you suspect a security incident, you can report an incident here.
Note: This expertly written article was written by Patrick McAteer, Cyber Threat Intelligence Analyst at SecurityHQ Dubai, who excels at analyzing the evolution of cyber threats, identifying risks and creating actionable intelligence reports to enhance proactive defense.