Defending against CLOP

Clop ransomware is a file-encrypting malware that has been active since 2019 and belongs to the Cryptomix ransomware family. The ransomware is intentionally designed to exploit vulnerable systems and encrypt saved files with the “.Clop” extension.

Clop ransomware is linked to the financially motivated threat group TA505. TA505 is a financially motivated threat actor group that has been active since at least 2014. This group is known for their sophisticated tactics, techniques, and procedures (TTPs) and for conducting large-scale attacks against businesses, governments, and other organisations around the world.

They have been linked to several high-profile campaigns, including the Dridex banking trojan and Locky ransomware. In addition to its technical expertise, TA505 is known for their highly effective and well-organized operations. They have been observed using a network of proxy servers and compromised devices to evade detection and carry out attacks on a massive scale.

One distinguishing feature of Clop ransomware is the string “Don’t Worry C|0P” found in the ransom notes. In March 2021, Clop attacked the well-known cybersecurity compliance company Qualys to steal client data. Retail, transportation, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services are among the industries that have been affected by Clop ransomware. The ransomware is usually spread via spam email attachments, trojans, unprotected Remote Desktop Protocol (RDP) connections, and malicious websites.

Clop ransomware is believed to be based somewhere within the Commonwealth of Independent States (CIS), as it avoids systems that use CIS-country keyboard layouts and file metadata in Russian. The ransomware has been observed to combine a “spray and pray” approach with a more targeted approach by running large-scale phishing campaigns and then choosing which networks to compromise for monetization.

Red Piranha has observed the threat actors to be actively exploiting a remote code injection vulnerability in GoAnywhere MFT, Fortra’s secure managed file transfer solution. Research shows there are more than 1000 systems worldwide whose administrative ports that may be vulnerable to this zero-day are open to the public Internet. Truebot has been observed actively exploiting this vulnerability.

H2 CLOP Ransomware- Indicator of Compromise (IOCs)

TYPE VALUE SHA256 c042ad2947caf4449295a51f9d640d722b5a6ec6957523ebf68cddb 87ef3545c 0e3a14638456f4451fe8d76fdc04e591fba942c2f16da31857ca6629 3a58a4c3 c9b874d54c18e895face055eeb6faa2da7965a336d70303d0bd604 7bec27a29d IPV4 5.188.206[.]76 92.118.36[.]213 Domains qweastradoc[.]com File Name gamft.dll larabqFa.exe


The TTPs of the ransomware’s latest Linux variant can be found below:

(Used hash value is: 09d6dab9b70a74f61c41eaa485b37de9a40c86b6d2eae7413db11b4e6a8256ef

Technique Name
Unix Shell Configuration Modification
Linux and Mac File and Directory Permissions Modification
File Deletion
Virtualization/Sandbox Evasion
System Information Discovery
Email Collection
Ingress Tool Transfer

To prevent Clop ransomware attacks, it is crucial to keep software up to date, regularly back up important files, and implement strong passwords.

Upgrade to version 7.1.2. Fortra users must have an account to log in and access the patch.

It is also recommended to avoid downloading attachments from unknown sources or clicking on links from unverified emails. If a device is infected with Clop ransomware, it is important not to pay the ransom as there is no guarantee that the data will be restored. Instead, victims should contact law enforcement agencies and seek professional help from cybersecurity experts.

Date Published
March 29, 2023