Defending against CLOP


Clop ransomware is a file-encrypting malware that has been active since 2019 and belongs to the Cryptomix ransomware family. The ransomware is intentionally designed to exploit vulnerable systems and encrypt saved files with the “.Clop” extension.

Clop ransomware is linked to the financially motivated threat group TA505. TA505 is a financially motivated threat actor group that has been active since at least 2014. This group is known for their sophisticated tactics, techniques, and procedures (TTPs) and for conducting large-scale attacks against businesses, governments, and other organisations around the world.

They have been linked to several high-profile campaigns, including the Dridex banking trojan and Locky ransomware. In addition to its technical expertise, TA505 is known for their highly effective and well-organized operations. They have been observed using a network of proxy servers and compromised devices to evade detection and carry out attacks on a massive scale.

One distinguishing feature of Clop ransomware is the string “Don’t Worry C|0P” found in the ransom notes. In March 2021, Clop attacked the well-known cybersecurity compliance company Qualys to steal client data. Retail, transportation, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services are among the industries that have been affected by Clop ransomware. The ransomware is usually spread via spam email attachments, trojans, unprotected Remote Desktop Protocol (RDP) connections, and malicious websites.

Clop ransomware is believed to be based somewhere within the Commonwealth of Independent States (CIS), as it avoids systems that use CIS-country keyboard layouts and file metadata in Russian. The ransomware has been observed to combine a “spray and pray” approach with a more targeted approach by running large-scale phishing campaigns and then choosing which networks to compromise for monetization.

Red Piranha has observed the threat actors to be actively exploiting a remote code injection vulnerability in GoAnywhere MFT, Fortra’s secure managed file transfer solution. Research shows there are more than 1000 systems worldwide whose administrative ports that may be vulnerable to this zero-day are open to the public Internet. Truebot has been observed actively exploiting this vulnerability.

H2 CLOP Ransomware- Indicator of Compromise (IOCs)

TYPE VALUE SHA256 c042ad2947caf4449295a51f9d640d722b5a6ec6957523ebf68cddb 87ef3545c 0e3a14638456f4451fe8d76fdc04e591fba942c2f16da31857ca6629 3a58a4c3 c9b874d54c18e895face055eeb6faa2da7965a336d70303d0bd604 7bec27a29d IPV4 5.188.206[.]76 92.118.36[.]213 Domains qweastradoc[.]com File Name gamft.dll larabqFa.exe

MITRE ATT&CK TTPs of CLOP

The TTPs of the ransomware’s latest Linux variant can be found below:

(Used hash value is: 09d6dab9b70a74f61c41eaa485b37de9a40c86b6d2eae7413db11b4e6a8256ef

Technique Name
ID
Unix Shell Configuration Modification
T1546.004
Linux and Mac File and Directory Permissions Modification
T1222.002
File Deletion
T1070.004
Virtualization/Sandbox Evasion
T1497
System Information Discovery
T1082
Email Collection
T1114
Ingress Tool Transfer
T1105


To prevent Clop ransomware attacks, it is crucial to keep software up to date, regularly back up important files, and implement strong passwords.

Upgrade to version 7.1.2. Fortra users must have an account to log in and access the patch. https://my.goanywhere.com/webclient/DownloadProductFiles.xhtml

It is also recommended to avoid downloading attachments from unknown sources or clicking on links from unverified emails. If a device is infected with Clop ransomware, it is important not to pay the ransom as there is no guarantee that the data will be restored. Instead, victims should contact law enforcement agencies and seek professional help from cybersecurity experts.

Details
Date Published
March 29, 2023
Category