Threat Research: Cl0p Ransomware Increases Activity 

Summary  

Cl0p ransomware, a Ransomware-as-a-Service (RaaS) model, has targeted over 90 organizations worldwide, with more than 50 of these attacks occurring within the United States. In March 2023, the Cl0p leak site listed 91 victims, which is an increase of over 65% in the total number of attacks between August 2020 and February 2023. It is assessed that this sudden increase in ransomware attacks is likely associated with the group’s exploitation of the zero-day vulnerability, CVE-2023-0669. This vulnerability is tied to Fortra’s GoAnywhere MFT, which suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. Additionally, Cl0p previously encrypted compromised networks after data exfiltration, but does not appear to be doing so with these recent attacks.  

Background 

Cl0p ransomware was discovered in 2019 and became notorious due to its advanced techniques. The ransomware is a successor to CryptoMix ransomware, which is believed to have originated in Russia and is frequently used by various Russian affiliates, including FIN11. Originally, the main targets of this group were larger organizations that had an annual income of $5 million USD or higher. Threat actors would use Cl0p ransomware to infiltrate a targeted system and encrypt network files. A ransom note would then be left on the system demanding payment in exchange for a decryption key. If the ransom was not paid, the information would be posted on Cl0ps leak site or sold to other threat actors. The Cl0p ransomware group is financially motivated and known for its attacks on government agencies and private sector companies. 

Attack Pattern 

Cl0p ransomware spreads through various methods, such as phishing emails that contain harmful attachments or links, unprotected RDP, and exploit kits. Once initial access is gained the ransomware can be launched by three distinct methods: 

  1. Execution with a runrun parameter, which would solely encrypt the network drives. When the malware is launched utilizing this method it creates two threads. The first thread scans all network shares to include network file managers, backup applications, and printer management tools before and then encrypts them. If the first thread is unable to be executed a second thread is retrieved and targets the user’s Outlook, Word, or Office folders. 
  1. Use of a file “temp.ocx“ as a parameter that contains a list of the file(s) to be encrypted. This method relies on the command line argument to list the file(s) to be targeted. If the file(s) is opened successfully then the document(s) are encrypted.   
  1. Launch without any parameters, which would encrypt all local and network drives. This requires the ransomware to be able to be installed as a service. If the ransomware is unable to be installed as a service, then the code will terminate itself. If it is successful a mutex is generated which ensures that multiple threads cannot be written to shared memory concurrently. At this stage the ransomware will determine all active processes on the system and begin the process of encrypting all local and network drives.  

Targeted Technology 

Linux Endpoint OS and Windows Endpoint OS 

Targeted Industries 

The United States is the primary target of the Cl0p ransomware group victimizing a broad range of industries, including education, energy, finance, government, healthcare, software and IT, and telecom organizations. 

Conclusion 

The significant increase in attacks by the Cl0p ransomware group indicates a renewed effort to exploit organizations within the United States. It is likely that the threat actors will continue to exploit organizations that have not patched the CVE-2023-0669 vulnerability and seek out other known flaws to exploit. It is also highly likely that Cl0p ransomware will increase their activity throughout 2023. It is recommended that organizations conduct regular backup practices and keep those backups offline or in a separate network. Additionally, companies should train their employees to refrain from opening untrusted links and email attachments without verifying their authenticity.  

The Critical Start Cyber Threat Intelligence (CTI) team will continue to monitor the situation and work closely with the Threat Detection Engineering (TDE) team and the SOC to implement any relevant detections. For future updates, the CTI team will post via ZTAP® Bulletins and on the Critical Start Intelligence Hub. 
 

References: 

  1. https://www.secureworks.com/blog/clop-ransomware-leak-site-shows-increased-activity 
  1. https://blog.cyble.com/2023/04/03/cl0p-ransomware-active-threat-plaguing-businesses-worldwide/ 

You may also be interested in…

Stay Connected on Today’s Cyber Threat Landscape

  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
Join us at RSA Conference - booth #449 South!
This is default text for notification bar