Clop ransomware is a file-encrypting malware that has been active since 2019 and belongs to the Cryptomix ransomware family. The ransomware is intentionally designed to exploit vulnerable systems and encrypt saved files with the “.Clop” extension.
Clop ransomware is linked to the financially motivated threat group TA505. TA505 is a financially motivated threat actor group that has been active since at least 2014. This group is known for their sophisticated tactics, techniques, and procedures (TTPs) and for conducting large-scale attacks against businesses, governments, and other organisations around the world.
They have been linked to several high-profile campaigns, including the Dridex banking trojan and Locky ransomware. In addition to its technical expertise, TA505 is known for their highly effective and well-organized operations. They have been observed using a network of proxy servers and compromised devices to evade detection and carry out attacks on a massive scale.
One distinguishing feature of Clop ransomware is the string “Don’t Worry C|0P” found in the ransom notes. In March 2021, Clop attacked the well-known cybersecurity compliance company Qualys to steal client data. Retail, transportation, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services are among the industries that have been affected by Clop ransomware. The ransomware is usually spread via spam email attachments, trojans, unprotected Remote Desktop Protocol (RDP) connections, and malicious websites.
Clop ransomware is believed to be based somewhere within the Commonwealth of Independent States (CIS), as it avoids systems that use CIS-country keyboard layouts and file metadata in Russian. The ransomware has been observed to combine a “spray and pray” approach with a more targeted approach by running large-scale phishing campaigns and then choosing which networks to compromise for monetization.
Red Piranha has observed the threat actors to be actively exploiting a remote code injection vulnerability in GoAnywhere MFT, Fortra’s secure managed file transfer solution. Research shows there are more than 1000 systems worldwide whose administrative ports that may be vulnerable to this zero-day are open to the public Internet. Truebot has been observed actively exploiting this vulnerability.
H2 CLOP Ransomware- Indicator of Compromise (IOCs)
TYPE VALUE SHA256 c042ad2947caf4449295a51f9d640d722b5a6ec6957523ebf68cddb 87ef3545c 0e3a14638456f4451fe8d76fdc04e591fba942c2f16da31857ca6629 3a58a4c3 c9b874d54c18e895face055eeb6faa2da7965a336d70303d0bd604 7bec27a29d IPV4 5.188.206[.]76 92.118.36[.]213 Domains qweastradoc[.]com File Name gamft.dll larabqFa.exe
MITRE ATT&CK TTPs of CLOP
The TTPs of the ransomware’s latest Linux variant can be found below:
(Used hash value is: 09d6dab9b70a74f61c41eaa485b37de9a40c86b6d2eae7413db11b4e6a8256ef)
|
Technique Name
|
ID
|
|
Unix Shell Configuration Modification
|
T1546.004
|
|
Linux and Mac File and Directory Permissions Modification
|
T1222.002
|
|
File Deletion
|
T1070.004
|
|
Virtualization/Sandbox Evasion
|
T1497
|
|
System Information Discovery
|
T1082
|
|
Email Collection
|
T1114
|
|
Ingress Tool Transfer
|
T1105
|
To prevent Clop ransomware attacks, it is crucial to keep software up to date, regularly back up important files, and implement strong passwords.
Upgrade to version 7.1.2. Fortra users must have an account to log in and access the patch. https://my.goanywhere.com/webclient/DownloadProductFiles.xhtml
It is also recommended to avoid downloading attachments from unknown sources or clicking on links from unverified emails. If a device is infected with Clop ransomware, it is important not to pay the ransom as there is no guarantee that the data will be restored. Instead, victims should contact law enforcement agencies and seek professional help from cybersecurity experts.