Threat Intelligence Report January 21 - January 27 2025

Cl0p Ransomware

Overview

Cl0p ransomware has emerged as one of the most persistent and financially damaging cyber threats in recent years. Known for targeting organisations in a variety of industries—most notably finance and government - Cl0p leverages a combination of advanced exploitation techniques and sophisticated encryption methods to extort its victims. The ransomware is infamous for its “double extortion” model: encrypting a victim’s files while also threatening to leak sensitive data if a ransom isn’t paid. By adapting to new vulnerabilities, Cl0p remains a dynamic and dangerous adversary.

Detailed TTPs (Tactics, Techniques, and Procedures)

• Exploiting publicly known vulnerabilities in widely used software.
• Phishing campaigns using targeted social engineering.

• Leveraging malicious dropper files that execute PowerShell scripts.
• Executing unsigned binaries to establish persistence.

• Maintaining access through encrypted backdoors and custom malware strains.
• Using stolen credentials to re-enter compromised networks.

• Identifying and exploiting configuration flaws or weak permissions.
• Abusing legitimate administrative tools to escalate access.

• Stealing sensitive data before encryption (double extortion).
• Encrypting files with advanced cryptographic algorithms.

• Rendering critical systems and data inaccessible.
• Threatening reputational harm by leaking stolen data.
  
  

Ransomware Note:

IOCs (Indicators of Compromise)

• CVE-2023-0669
• CVE-2023-34362
• CVE-2024-45195
• CVE-2024-50623
• CVE-2024-55956

• 103.140.62.43
• 146.190.133.67
• 162.240.110.250
• http://ekbgzchl6x2ias37.onion
• http://santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad.onion
• http://3ws3t4uo7fehnn4qpmadk3zjrxta5xlt3gsc5mx4sztrsy7ficuz5ayd.onion/
• http://amnwxasjtjc6e42siac6t45mhbkgtycrx5krv7sf5festvqxmnchuayd.onion/
• http://qahjimrublt35jlv4teesicrw6zhpwhkb6nhtonwxuqafmjhr7hax2id.onion/
• http://l4rdimrqyonulqjttebry4t6wuzgjv5m62rnpjho3q22a6maf6d5evyd.onion/
• http://npkoxkuygikbkpuf5yxte66um727wmdo2jtpg2djhb2e224i4r25v7ad.onion
• http://6v4q5w7di74grj2vtmikzgx2tnq5eagyg2cubpcnqrvvee2ijpmprzqd.onion/remote0

• .cl0p (renamed encrypted files)

• Files encrypted with RC4, RSA-1024 wrapping the encryption keys.
• Obfuscated payloads and scripts to evade detection.

Mitigations

1. Apply Security Patches Promptly:
   • Regularly update software, particularly those known to have been exploited by Cl0p (e.g., file transfer solutions).
2. Implement a Strong Backup Strategy:
   • Maintain offline or immutable backups of critical data.
   • Regularly test backups to ensure they are accessible and complete.
3. Enhance Network Segmentation and Access Control:
   • Segregate sensitive data and systems from regular user access.
   • Apply the principle of least privilege (PoLP).
4. Conduct Regular Security Awareness Training:
   • Educate employees about phishing attacks and social engineering techniques.
   • Emphasise the importance of scrutinising unsolicited emails and links.
5. Deploy Advanced Threat Detection and Response Solutions:
   • Use Endpoint Detection and Response (EDR) to identify suspicious behaviour early.
   • Monitor network traffic for signs of data exfiltration or unauthorised encryption attempts.
6. Establish a Clear Incident Response Plan:
   • Define roles and responsibilities for responding to ransomware attacks.
   • Conduct tabletop exercises to prepare for a rapid response.

By employing these proactive measures, organisations can significantly reduce the risk of Cl0p ransomware infections and minimise the impact of an attack.

Ransomware Victims Worldwide

A recent ransomware analysis reveals that the United States remains the most heavily impacted nation, accounting for a staggering 56.77% of global incidents—underscoring its continued vulnerability to ransomware threats. Canada follows with 8.39% of recorded attacks, highlighting significant challenges in North America. Meanwhile, Australia, the United Kingdom, and India contribute 5.81%, 3.87%, and 3.87% of global incidents respectively, reflecting ongoing risks in both Asia-Pacific and Europe.

Other countries such as France (1.29%), Germany (2.58%), Pakistan (2.58%), and Italy (1.29%) also show notable levels of ransomware activity. The Netherlands, Mexico, and Bangladesh each recorded 1.94% of global incidents, signalling the broad geographic spread of ransomware threats.

Lower but still notable percentages come from nations like Vietnam, Kuwait, and Denmark, which contribute 0.65% each. Countries including Israel, Switzerland, Malaysia, Portugal, Philippines, Japan, and Morocco also reflect small yet significant parts of the worldwide ransomware landscape.

This distribution illustrates the global and persistent nature of ransomware threats, with North America continuing to bear the brunt of attacks. The findings further emphasise the critical need for strengthened cybersecurity measures, proactive defence strategies, and heightened vigilance across all sectors to counter the unrelenting rise in ransomware incidents worldwide.