Defending against CLOP

Clop ransomware is a file-encrypting malware, active since 2019. It belongs to the CryptoMix ransomware family and is used to intentionally exploit vulnerable systems and encrypt saved files with the “.Clop” extension.

Clop Ransomware and TA505

Clop ransomware is an example of ransomware-as-a-service (RaaS) and is linked to the Russian threat group known as TA505, which has been active since at least 2014. This group is known for their sophisticated tactics, techniques, and procedures (TTPs) and for conducting large-scale cybercrime campaigns, including distributing malware, launching phishing attacks, and carrying out financially motivated cyberattacks against businesses, governments, and other organisations globally.

TA505 has been linked to several high-profile campaigns, including the Dridex banking trojan and Locky ransomware. In addition to its technical expertise, TA505 is known for their highly effective and well-executed operations. They have been observed using a network of proxy servers and compromised devices to evade detection and carry out attacks on a massive scale.

While TA505 has been associated with the distribution of Clop, ransomware gangs often collaborate or purchase malware tools and services from one another on the dark web. This means that the direct involvement of TA505 members in every Clop ransomware attack may vary, but their association with the distribution of the ransomware has been documented by cybersecurity researchers.

The combination of Clop ransomware's sophisticated encryption techniques and TA505's extensive distribution network has made it a significant threat to organisations of all sizes, highlighting the importance of robust cybersecurity measures and preparedness to mitigate the risk of falling victim to such attacks.

Don’t Worry C|0P

One distinguishing feature of Clop ransomware is the string “Don't Worry C|0P” found in the ransom notes. In March 2021, Clop attacked the well-known cybersecurity compliance company Qualys to steal client data. Retail, transportation, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services are among the industries affected by Clop ransomware. The ransomware is usually spread via spam email attachments, trojans, unprotected Remote Desktop Protocol (RDP) connections, and malicious websites.

How Clop Ransomware Operates?

Clop ransomware operates like many others of its type but with some notable characteristics and tactics:

  1. Initial infection: Clop ransomware typically enters a system through phishing emails, malicious attachments, or exploit kits. These emails often contain seemingly legitimate content or attachments, such as invoices, job offers, or shipping notifications, designed to trick users into opening them.

  2. Payload execution: Once a user opens the malicious attachment or interacts with the compromised website, the Clop ransomware payload is executed on the victim's system. The malware then begins its malicious activities.

  3. File encryption: Clop ransomware employs strong encryption algorithms, such as RSA and AES, to encrypt files on the victim's system. It targets a wide range of file types, including documents, images, videos, and databases. Encrypted files become inaccessible to the victim without the decryption key.

  4. Data exfiltration: One distinctive feature of Clop ransomware is its capability to exfiltrate sensitive data from the victim's system before encryption. This stolen data may include financial records, intellectual property, or personally identifiable information (PII).

  5. Ransom note: After encrypting the victim's files, Clop ransomware typically leaves a ransom note on the system. This note contains instructions on how to pay the ransom, usually in cryptocurrency such as Bitcoin, to receive the decryption key. It also often includes threats of further consequences if the ransom is not paid, such as publishing the stolen data.

  6. Communication with the operators: Victims are usually instructed to contact the operators of the ransomware through email or a Tor hidden service to negotiate the ransom payment and receive decryption instructions.

  7. Ransom payment and decryption: If the victim is ready to pay the ransom, they are provided with decryption tools or keys to unlock their encrypted files. However, there is no guarantee paying the ransom will result in the recovery of files; it may also encourage further criminal activity.


Overall, Clop ransomware operates as a sophisticated and destructive form of malware that poses a significant threat to organisations and individuals alike.

Clop ransomware is believed to be based somewhere within the Commonwealth of Independent States (CIS), as it avoids systems that use CIS-country keyboard layouts and file metadata in Russian. The ransomware has been observed to combine a “spray and pray” approach with a more targeted approach by running large-scale phishing campaigns and then choosing which networks to compromise for monetisation.

Red Piranha has observed that the threat actors are actively exploiting a remote code injection vulnerability in GoAnywhere MFT, Fortra’s secure managed file transfer solution. Research shows there are more than 1000 systems worldwide whose administrative ports that may be vulnerable to this zero-day are open to the public Internet. Truebot has been observed actively exploiting this vulnerability.

CLOP Ransomware - Indicator of Compromise (IOCs)

TYPE VALUE SHA256 c042ad2947caf4449295a51f9d640d722b5a6ec6957523ebf68cddb 87ef3545c 0e3a14638456f4451fe8d76fdc04e591fba942c2f16da31857ca6629 3a58a4c3 c9b874d54c18e895face055eeb6faa2da7965a336d70303d0bd604 7bec27a29d IPV4 5.188.206[.]76 92.118.36[.]213 Domains qweastradoc[.]com File Name gamft.dll larabqFa.exe

MITRE ATT&CK TTPs of CLOP

The TTPs of the ransomware’s latest Linux variant can be found below:

(Used hash value is: 09d6dab9b70a74f61c41eaa485b37de9a40c86b6d2eae7413db11b4e6a8256ef

Technique Name
ID
Unix Shell Configuration Modification
T1546.004
Linux and Mac File and Directory Permissions Modification
T1222.002
File Deletion
T1070.004
Virtualization/Sandbox Evasion
T1497
System Information Discovery
T1082
Email Collection
T1114
Ingress Tool Transfer
T1105


Upgrade to version 7.1.2. Fortra users must have an account to log in and access the patch. https://my.goanywhere.com/webclient/DownloadProductFiles.xhtml

Protecting yourself from Clop Ransomware

Protecting yourself from ransomware, including Clop ransomware, requires a multi-layered approach involving preventive measures and preparedness. Here are some steps you can take to protect yourself:

  1. Keep software up to date: Organisations should keep their software and operating systems up to date to reduce the risk of exploitation of known vulnerabilities.

  2. Implement email security: Businesses should implement email security measures, such as anti-spam filters and anti-phishing solutions, to help detect and prevent spear phishing emails from reaching employees.

  3. Backup data regularly: Regularly backing up data can help organisations recover from a ransomware attack without paying the ransom.

  4. Use multi-factor authentication: Multi-factor authentication (MFA) can help prevent unauthorised access to accounts and reduce the risk of credential theft.

  5. Limit user privileges: Restrict user privileges to only what is necessary for their job functions. This can prevent ransomware from spreading across your network if one user account is compromised.

  6. Use network segmentation: Segment your network to limit the spread of ransomware in the event of a breach. This can help contain the damage and prevent it from affecting your entire organisation.

  7. Educate yourself and your employees: Conduct Cybersecurity Awareness Training for employees by experts. Train your employees to recognise and report phishing emails and other suspicious activity.

  8. Have a response plan: Develop and regularly update a response plan outlining the steps to take in the event of a ransomware attack. This should include procedures for isolating infected systems, contacting authorities, and restoring data from backups.

By implementing these measures, you can significantly reduce your risk of falling victim to Clop ransomware or any other type of ransomware attack.

Additionally, you can opt for a robust Network Detection and Response program alongside Endpoint Detection and Response to help reduce the risk of loss from an attack.

If a device is affected by Clop ransomware, it is important not to pay the ransom as there is no guarantee you will recover the data. Instead, victims should contact law enforcement agencies and seek professional help from cybersecurity experts.

Sign up for our Weekly Threat Intelligence Report to stay updated on the latest threats.