Clop Ransomware Blitz: Understanding and Mitigating This Pervasive Threat

Clop Ransomware is currently being unleashed in a blitz of attacks against organizations across the globe. To help you stay informed and safeguard your organization, Cristian Torres has prepared a detailed analysis examining this emerging threat.
Clop Ransomware Blitz: Understanding and Mitigating This Pervasive Threat Header image

Table of Contents

The recent onslaught of the Clop Ransomware group’s cyberattack blitz has shaken the cybersecurity landscape, bringing to mind the now-disbanded REvil group’s campaigns of 2021. Clop Ransomware’s menacing resurgence poses a significant threat to organizations worldwide. Crucially, Clop Ransomware exploits a zero-day vulnerability in GoAnywhere’s file-sharing services, enabling them to infiltrate susceptible servers and unpatched GoAnywhere MFT (managed file transfer) instances. 

The History of Clop Ransomware

Clop is a Ransomware as a Service (RaaS) organization that emerged around February 2019. It is part of the CryptoMix family of ransomware. Initially, Clop emerged as a relatively simple ransomware strain, focusing on encrypting individual files and appending the “.Clop” extension to them.

Over time, Clop operators began shifting their focus from individual users to businesses and entire networks. In 2020, data exfiltration capabilities were added. At that point, Clop became more infamous and started targeting large organizations, across the United States, Canada, Latin America, Asia Pacific, and Europe.

In June 2021, Ukrainian authorities arrested 6 people tied to Clop Ransomware. Despite these takedown attempts, Clop Ransomware survived to allegedly breach 130 organizations in February 2023 through a GoAnywhere zero-day exploit. This means it’s likely that the individuals who were arrested were not key figures in the malware’s operation. 

How Clop Exploits the GoAnywhere Vulnerability

Clop exploits CVE-2023-0669, a vulnerability with a  CVSS score of 7.2, which is related to a pre-authentication command injection in GoAnywhere MFT, affecting version 7.1.1 for Windows and 7.0.3 for Linux and its earlier versions. The issue arises when GoAnywhere MFT deserializes data without proper validation, enabling attackers to execute unauthorized commands remotely. As a result, confidentiality and integrity are impacted.

The attack targets the ‘LicenseResponseServlet’ Java Servlet, specifically the ‘com.linoma.license.gen2.BundleWorker.unbundle(String, KeyConfig)’ method within the servlet. When a packet is received from a user request, it is passed to the ‘LicenseAPI.getResponse()’ method. However, the ‘package’ parameter passed to this method is not properly validated, allowing an attacker to exploit the vulnerability using a specially crafted package.

Based on information shared by the Office of Information Security, Clop’s ransomware code was written to target Windows systems, and some reporting samples showcase that it is a Win32 executable written in C++. The executable packet is compressed, which helps hide its functionality. The ransomware encrypts files with an RSA 1024-bit public key with RC4 that uses 117 bytes of the public key.

According to a Sentilabs report, a new variant of Clop Ransomware, called ELF Cl0p, has been detected. This Linux version has minor differences from the Windows version, mostly related to API calls, and seems to be in its early development stages since some functionalities present in the Windows version are currently missing. A decryptor has been created for this variant by researchers of SentinelLabs

Operating Systems Targeted by Clop Ransomware

Windows

MacOS

Linux

Android

Yes

No

Recently, Yes

No

It has been observed that Clop uses remote desktop protocols and that it deploys Cobalt Strike to aid in lateral movement, right after a successfully compromised network. Once the encryption is complete, the victim is able to access a README.TXT and the encrypted file’s extension will be changed to “Clop”. The ransomware notes often state that the Shadow Volume Copies have been deleted.

Why Does Clop Ransomware Matter to You?

Clop has been one of the most active RaaS organizations during the last few years, targeting almost any kind of organization. They have been connected to attacks affecting public and private organizations from different sectors (manufacturing, healthcare, education, energy, and others). Just to give a sense of the scale of the impact, our threat intelligence team found that as of the end of March, Shodan shows 1264 instances of GoAnywhere exposed to the internet—while not all of them are vulnerable, they are visible to attackers. In addition to this, there are some factors that make this threat something to care about.

  • EDR evasion: The ransomware also attempts to disable Windows® Defender and uninstall Microsoft® Security Essentials.
  • Anti-detection techniques: The malware includes anti-analysis and anti-virtual-machine (VM) techniques to ensure the file will not execute if it finds it is running in an emulated environment.
  • Legitimate appearance: The binary is signed, giving the malicious file the appearance of legitimacy. But if you look closer, you’ll find that the signing certificate has been revoked, so it is no longer valid
  • Process killing and encryption capabilities: Clop ransomware attempts to stop over 600 Windows® processes. By freeing up these processes, files running on them are no longer locked and can be encrypted by Clop. Security researcher Vitali Kremez provides a full list of the processes killed by Clop in his GitHub repository.
  • Disruption capabilities: Clop disables Windows repair features so the system cannot be easily restored
  • Double extortion risk: Sensitive data is first exfiltrated from the target before their files are encrypted. The attackers created a .onion website on the dark web called “Cl0p^_- Leaks” to serve as a platform to publicly leak confidential data belonging to victims who refused to pay their ransom.
  • Spreading capabilities: Clop has claimed that the techniques performed on this kind of attack allow them to move laterally across the organization’s networks, enabling them to deploy ransomware payloads and increase the number of endpoints that could be controlled and encrypted by this group.  

List of Victims as of the End of March 2023

Victim

Country

Bissell

USA

Emerald

USA

Caja Popular San Rafael

Mexico

Tasmanian Government Services

Australia

Enerjisa Üretim

Turkey

Intellicare

Philippines

Crescent Hotels & Resorts

USA

Columbia Machine, Inc

USA

Investorcom

Canada

Imagine360

USA

The Cyprinus

Spain

Spi Group

South Africa

Detech Information Technologies

Turkey

Grupo Floraplant

Mexico

Alto

USA

Government Of Goa

India

Inter Terminals

UK

Global Farm

Argentina

Atos

France

Derk Ingenieria Y Geologia Limitada

Chile

Red Box

UK

Progression

India

The University Of Melbourne

Australia

Crown Resorts

Australia

Bridgeway Communication System

Philippines

The Link Group

USA

Phoenix Technology

USA

Sodales Solutions

USA

Nationsbenefits

USA

Scholastic

USA

Vumacam

South Africa

Cloudmed

USA

Dp World

United Arab Emirates

Solpac

Japan

Virgin

UK

Legacy Technologies

Germany

Oshco

Saudi Arabia

Gray Television

USA

Orca

Canada

Colombia Lab

Colombia

Paybox App

Israel

Verra Mobility

USA

Bunzl

UK

First Central Group

UK

Alivia Health

Puerto Rico

Hormel Foods

USA

Crosby

USA

Munich Re

Germany

Gas Natural Sa Esp

Colombia

Volaris

Mexico

Accuzip

USA

Sepire

USA

World Vision International

USA

Zo Skin Health

USA

Tropical Texas Behavioral Health

USA

Humangood

USA

Kannact

USA

Cineplex

Canada

Amerijet International, Inc

USA

Gdi Integrated Facility Services

Canada

Hampton Roads Transit

USA

Pluralsight

USA

Pension Protection Fund

USA

Lasotel

France

Procter & Gamble

USA

Crossville

USA

Leslie & S

USA

Saks Fifth Avenue

USA

Jay Mart Public

Thailand

Service Stream

Australia

Cost Plus World Market

USA

Wildfire Defense Systems

USA

Sweeping Corporation Of America

USA

Tuebora

USA

Ratelinx

USA

Ferguson

USA

Accreditation Commission For Education In Nursing

USA

Wellbe Senior Medical

USA

Brightline

USA

Hitachi Energy

Switzerland

Sae

USA

Avidxchange

USA

Galderma

Switzerland

Neo Energy

UK

Medex

USA

Investissement Quebec

Canada

Rio Tinto

UK

Intellihartx

USA

Homewood Health

Canada

Allied Benefit Systems

USA

Us Wellness

USA

Rubrik

USA

Onex

Canada

Axis Bank

India

People Corporation

Canada

Medminder Systems

USA

Cornerstone Home Lending

USA

 

How to Mitigate the Risk of Clop Ransomware

According to TechTarget, GoAnywhere’s software vendor Fortra (formerly known as HelpSystems) became aware of a zero-day vulnerability in late January and warned its users of an “active exploitation and the dangers of keeping the administrative console exposed on the Internet”. Here are some actions that organizations can take to mitigate against the threat posed by Clop Ransomware

  • Patching is your top priority: Fortra provided an update patch (7.1.2) for Windows Systems that should be applied as soon as possible to avoid any system compromise, especially all customers running an administration portal exposed to the Internet.
  • Intentionally look for connections to C&C: after closing the publicly known door to the attackers is important to detect if they managed to enter the organization. The proficient way is doing it intentionally through the analysis of network metadata.
  • Stay aware of lateral movements: in case attackers are inside your organization they will try to spread through the network infecting as many endpoints as they can. You can stop them on time by having visibility of this anomalous behavior. Analyzing netflows is usually the easiest way.
  • Update access credentials: as the ultimate goal of attackers is to take control over the administrator console, they always try to compromise access credentials that’s why you need to avoid the risk of having any of your admin panels (not only GoAnywhere’s but any other integrated system) accessible to adversaries.
  • Limit the surface attack: implement risk mitigation controls such as whitelisting entry connections, inspect any recent installation of apparently legitimate applications (such as cobaltStrike), creation of unusual administrator users, and disable the built-in licensing server system

To get to know your risk of being exposed to a ransomware attack, be sure to take Lumu’s Ransomware Quiz.

Subscribe to Our Blog

Get the latest cybersecurity articles and insights straight from the experts.

Share this post

RELATED POSTS

DEFCON 32
Events

Our 3 Biggest Takeaways From DEFCON 32

Reading Time: 7 minsMario Lobo, Cybersecurity Specialist at Lumu Technologies, recently attended DEFCON – a hacker convention held annually in Las Vegas, Nevada – and he highlights his big takeaways.

Join our pre-day 
workshop waitlist

  • By clicking “Submit Request” you agree to the Lumu Terms of Service and Privacy Policy.