Cracking CLOP: Inside the Tactics of Cybercrime's Most Wanted

Introduction

The CLOP cybercrime group has emerged as a formidable adversary. Known for its sophisticated attack strategies and relentless pursuit of financial gain, CLOP has left its mark on the cybersecurity field. One of their most recent and notorious exploits involves the MOVEit software, a widely used secure file transfer solution. The MOVEit attack, which has affected 418 organizations and 22 million individuals as of July 23, 2023, underscores the group's ability to exploit vulnerabilities in popular software and inflict significant damage. This article aims to delve into the intricacies of CLOP's operations, shedding light on their tactics, techniques, and procedures, and exploring the financial aspects of their operations. By understanding the modus operandi of groups like CLOP, we can better prepare and defend against such threats.

The Genesis of CLOP

The CLOP cybercrime group, a notorious player in the cyber threat landscape, has its roots in the CryptoMix ransomware family. First identified in February 2019, CLOP quickly gained notoriety for its high-profile attacks and innovative extortion techniques. The group's operations have evolved significantly since its inception, with a marked shift towards targeted campaigns against large organizations and the adoption of double extortion practices.

CLOP's evolution has been marked by its ability to adapt to changing circumstances and exploit new opportunities. The group has shown a remarkable ability to leverage vulnerabilities in popular software, as evidenced by its exploitation of the MOVEit software. This attack, which affected 418 organizations and 22 million individuals as of July 23, 2023, underscores the group's ability to cause widespread disruption and inflict significant damage.

The group's evolution has not been without its challenges. In recent years, law enforcement agencies worldwide have stepped up their efforts to combat cybercrime, leading to several arrests and charges against members of the CLOP group. Despite these setbacks, the group has continued its operations, demonstrating its resilience and adaptability.

CLOP's Modus Operandi

CLOP, a variant of the CryptoMix ransomware family, has been active since 2014 and has evolved into one of the most notorious ransomware groups. The group is known for its constantly changing tactics, techniques, and procedures (TTPs), which have allowed it to successfully compromise high-profile organizations worldwide.

Vulnerability Exploitation

The CLOP group has been known to exploit various CVEs and zero-days to gain unauthorized access to systems and deploy their ransomware. A notable example is the MOVEit vulnerability (CVE-2023-34362), a SQL injection vulnerability that was actively exploited by the group. The vulnerability was first detected on May 27, 2023, and by May 31, Progress Software, the company behind MOVEit, began warning customers about it.

The group exploited this vulnerability to deploy a custom ASP.NET web shell, named LemurLoot, to achieve persistence on victim networks and allow for further attacks. The full details of the exploit are not publicly available, but it is known that the attackers used the vulnerability to exfiltrate sensitive files stored on vulnerable servers.

In addition to exploiting known vulnerabilities, CLOP has also been observed using a variety of malware types in their operations. For example, they have been known to use the KillDisk wiper to destroy data and disrupt systems, making recovery more difficult. They also use a custom ransomware variant, known as CLOP ransomware, to encrypt files on compromised systems.

The execution of a typical CLOP attack involves several stages. Initially, the group gains initial access to a target network, often through phishing emails or by exploiting known vulnerabilities. Once inside, they move laterally through the network, escalating their privileges and gaining access to more systems. They then deploy their ransomware to encrypt files and demand a ransom from the victim.

In a more recent development, the CLOP ransomware has evolved to include a process killer that targets a wide range of processes, including those belonging to Windows 10 apps, text editors, programming languages, and office applications. This feature is designed to disable security software and prevent any files from being open, which could interfere with the encryption process. Some of the processes targeted by this feature include the Android Debug Bridge, Notepad++, Microsoft Edge, and even the Windows Calculator.

Tactics, Techniques, and Procedures (TTPs)

CLOP's operations are characterized by a multi-stage attack process that begins with a large-scale spear-phishing email campaign. The group sends spam emails with HTML attachments that redirect recipients to a macro-enabled document, such as an XLS file. This file is used to drop a loader named Get2, which facilitates the download of various tools such as SDBot, FlawedAmmyy, and Cobalt Strike.

Once the malicious actors gain access to the system, they proceed with reconnaissance, lateral movement, and data exfiltration to set the stage for the deployment of the CLOP ransomware. The group is known for targeting a victim's entire network rather than individual computers. This is achieved by hacking into the Active Directory (AD) server before the ransomware infection to determine the system's group policy, allowing the ransomware to persist in the endpoints even after incident responders have cleaned them up.

CLOP has also been observed using a variety of malware in its operations. For instance, it has used AZORult, a data-stealing malware, and Cobalt Strike, a threat emulation tool, to infiltrate and control victim networks. The group has also used malware to disable Windows Defender, thereby reducing the target's defenses.

In terms of particular TTPs CLOP's tactics and techniques are diverse and continually evolving, making them a formidable adversary. They are known to employ a range of methods to gain initial access to their targets, including spear-phishing emails, exploiting public-facing applications, and using valid accounts that they have either compromised or created themselves.

Once they have gained initial access, they often use techniques such as Process Injection (T1055) and PowerShell (T1059.001) to execute their malicious code. They also use Command and Scripting Interpreter (T1059) to interact with systems.

CLOP actors are known to use a variety of tools in their operations. For instance, they have been observed using the FlawedAmmyy Remote Access Trojan (RAT) for command and control (C2) communication. They also use SDBot to drop copies of itself on removable drives and network shares.

In terms of persistence, the group uses Scheduled Task/Job (T1053) and Create or Modify System Process: Windows Service (T1543.003) to maintain their foothold within the compromised systems.

The group is also known for their use of data encryption and exfiltration techniques. They often exfiltrate data over C2 channels (T1041) before deploying their ransomware.

Malware Types Used

CLOP ransomware is the primary malware used by the group. It appends the ".CLOP" or ".cl0p" extension to the files it encrypts. The group has also used a variety of other malware types, including AZORult for data theft and Cobalt Strike for network control.

In addition to ransomware, the group has used tools such as AdFind, BloodHound, Mimikatz, and PowerSploit in its operations. These tools are used for various purposes, including Active Directory reconnaissance (AdFind), network mapping (BloodHound), credential dumping (Mimikatz), and Windows exploitation (PowerSploit).

Execution Process

The execution process of a CLOP attack typically involves several stages. Initially, the group uses spear-phishing emails to deliver the initial payload to the victim. The emails contain malicious attachments or links that, when clicked, redirect the victim to a macro-enabled document. This document then drops a loader onto the victim's system, which downloads additional malware.

Once the group has gained access to the victim's system, they perform reconnaissance to gather information about the network. They then move laterally across the network, gaining access to additional systems and escalating their privileges. During this stage, the group uses tools such as Mimikatz to dump credentials and gain access to other systems.

After gaining sufficient access and control over the network, the group deploys the CLOP ransomware. This ransomware encrypts files on the victim's system and appends a specific extension to the encrypted files. The group then demands a ransom from the victim in exchange for the decryption key.

Throughout the attack process, the group uses various techniques to evade detection and maintain persistence on the victim's network. For instance, they use malware to disable security tools like Windows Defender and modify the system's group policy to ensure the ransomware persists on the endpoints.

In summary, CLOP's modus operandi involves a multi-stage attack process that leverages spear-phishing emails, various types of malware, and sophisticated techniques to infiltrate networks, evade detection, and carry out successful ransomware attacks.

The Financial Aspect

CLOP's operations have proven to be highly lucrative, with estimated payouts reaching $500 million as of November 2021. The group's monetization methods have evolved over time, shifting from simple ransom demands to more sophisticated double extortion techniques. These involve not only encrypting the victim's data but also threatening to leak stolen information if the ransom is not paid.

In a recent report, Coveware, a prominent cyber incident response company, estimated that the CLOP gang is expected to earn between $75-100 million from extorting victims of their massive MOVEit data theft campaign. Despite a decrease in the number of victims paying ransoms, falling to a record low of 34%, CLOP has adapted its strategy. The group now demands far more significant ransom amounts than previously seen in data exfiltration attacks, hoping that a few large payments will overcome the overall decline.

The MOVEit campaign alone is expected to net the group a staggering $75-100 million, with that sum coming from just a small handful of victims that succumbed to very high payments. This significant financial gain underscores the lucrative nature of cybercrime and the immense financial threat posed by groups like CLOP.

The financial success of the CLOP group is an excellent example of the potential profitability of cybercrime. It also underscores the importance of robust cybersecurity measures and the need for organizations to understand the financial motivations behind these attacks. By understanding these motivations, organizations can better prepare for and defend against such threats.

The Impact of CLOP's Activities

The activities of the CLOP group have had far-reaching impacts, causing significant financial losses and operational disruptions for businesses across various sectors. The group's high-profile attacks have also raised global awareness of the threat posed by sophisticated cybercrime groups and highlighted the need for robust cybersecurity measures.

The MOVEit attack, in particular, has had a profound impact on a global scale. As of July 23, 2023, the known victims of the MOVEit attack include 418 organizations and 22 million individuals. The victims span across various industries and countries, with the United States being the most affected, accounting for 294 of the total known victims. The public sector and educational institutions have been particularly targeted, with 22 and 81 known victims in the U.S., respectively.

The MOVEit attack has also led to a cascade effect, with central service providers being hit and subsequently affecting companies that use their services. For instance, the UK-based payroll and HR company Zellis was directly hit, and major companies using Zellis services, such as the BBC and British Airways, were impacted indirectly. This cascading effect amplifies the impact of the attack, affecting numerous companies and organizations in several ways.

The impact of the CLOP group's activities extends beyond financial losses. The group's operations have led to the compromise of sensitive data, including personally identifiable information (PII), which can be used for further malicious activities such as business email compromise (BEC) and phishing attacks. The group's activities have also disrupted operations, caused reputational damage, and led to regulatory scrutiny and potential legal implications for the affected organizations.

Mitigation and Defense Strategies

Understanding the tactics, techniques, and procedures (TTPs) of the CLOP group is crucial for developing effective mitigation and defense strategies. The following are some of the strategies that can help organizations protect themselves against CLOP attacks:

1. Blocking Indicators of Compromise (IOCs): Regularly update IOC lists with hashes, domains, and IPs related to CLOP. These can be used to set up alerts and block any detected threats in the network immediately.
2. TTP-based Detection: Tactics, Techniques, and Procedures (TTPs) based detection focuses on identifying the behavior patterns of cybercriminals. By understanding and recognizing the methods used by groups like CLOP, organizations can anticipate potential attack strategies and take steps to prevent them. This approach requires continuous monitoring and analysis of network activity to identify any unusual or suspicious behavior that could indicate a potential threat. It is considered more proactive and comprehensive than simply blocking Indicators of Compromise (IoCs), which are specific attributes of an attack that cybercriminals can easily change to evade detection. To achieve this you will need following data: Network traffic data, Logs from servers, firewalls, and other network devices, endpoint data, cyber threat intelligence data, user behavior data.
3. Endpoint Isolation: If an attack is detected or a system is compromised, the immediate action should be to isolate the system. This involves taking proper logs, evaluating the situation, and remediating the issue. Endpoint detection and response (EDR) tools can be used for this purpose.
4. Service Disabling: In some cases, it may be necessary to disable certain services on a machine via Remote Desktop Protocol (RDP) to prevent further exploitation.
5. Phishing Investigation: Given that phishing is a common method used by CLOP for initial access, it's important to investigate any suspicious emails or requests. Tools like Virus Total API, MaxMind, Whois API, and CyberTotal can be used for this purpose.
6. Regular Backups: Regularly backing up data on external drives or a remote cloud can help minimize lockout during ransomware attacks. It's also recommended to scan backup data with an antivirus program to ensure it's free of malware.
7. Cyber Awareness and Training: One of the key defenses against these attacks is cyber awareness and training. Ensuring that all employees are aware of the risks and know how to identify potential threats can significantly reduce the likelihood of successful attacks.
8. System Patching: Regularly updating and patching systems can help protect against known vulnerabilities that CLOP might exploit.
9. Incident Investigation and Response: Upon detecting traces of exploitation, analysts should isolate the host where the attack is taking place and initiate an incident response. This involves planning and conducting cybersecurity incident and vulnerability response activities, detailing each step for both incident and vulnerability detection.

Conclusion

The activities of the CLOP group exemplify the changing nature of cyber threats and the advanced techniques employed by modern cybercriminal groups. Their ability to exploit vulnerabilities, adapt to new opportunities, and employ sophisticated tactics underscores the evolving and complex nature of the cyber threat landscape.

In light of these developments, it is imperative for organizations to prioritize cybersecurity. This involves not only implementing robust security measures but also fostering a culture of cybersecurity awareness. Organizations need to stay abreast of the latest threats and adapt their defenses accordingly. This includes regular software updates and patches, employee education, and the use of advanced threat detection and response solutions.

Moreover, organizations should not underestimate the importance of a proactive approach to cybersecurity. This involves identifying potential vulnerabilities and addressing them before they can be exploited. It also means being prepared for a potential breach and having a response plan in place.

The future of cybercrime is likely to see groups like CLOP continue to innovate and adapt their tactics. As such, the need for robust cybersecurity measures and a proactive approach to threat mitigation will only become more critical.

In conclusion, the activities of groups like CLOP highlight the importance of cybersecurity preparedness and the need for continuous adaptation in the face of evolving threats. By understanding the tactics, techniques, and procedures of these groups, we can better defend against them and foster a safer cyber environment for all.

References

For further reading, please refer to the following sources:

1. CISA Advisory on CLOP Ransomware
2. Bleeping Computer: CLOP Gang to Earn Over $75 Million from MOVEit Extortion Attacks
3. Security Week: MOVEit Hack Number of Impacted Organizations Exceeds 340
4. MITRE ATT&CK: CLOP
5. Bleeping Computer: CLOP Now Leaks Data Stolen in MOVEit Attacks on Clearweb Sites
6. McAfee Labs: CLOP Ransomware
7. Trend Micro: Ransomware Spotlight: CLOP
8. Unit 42: CLOP Ransomware