Clop Ransomware

Clop ransomware, also represented as CL0P, is a ransomware variant that was first discovered in February 2019, by McAfee security researchers. Clop ransomware was created and is managed by the Clop Ransomware Group ‘FANCYCAT’, which disseminates the ransomware to a network of affiliates via a Ransomware-as-a-Service (RaaS) model.

As such, a multitude of threat actors have incorporated Clop in their attack campaigns. Clop ransomware received the most notoriety within its first years of operation, netting more than $500 million by employing multiple layers of extortion against its victims. Clop ransomware operators commonly employ double and triple-extortion methods where the group would give the victim a limited amount of time to pay an initial ransom before raising the price and threatening to release sensitive data stolen from the victim publicly on their leak site, if the victim failed to pay. In June 2021, officials from the US, Ukraine, and South Korea apprehended 6 members of the Clop Ransomware Gang. While it was the opinion of many that these raids had rendered Clop defunct, reports of Clop ransomware attacks began re-emerging in early 2022 and, in late 2022 into early 2023.

In June 2023, it was reported that the threat actor group, tracked as ‘Lace Tempest’ (also known as FIN11 and TA505) highly likely utilised Clop ransomware to leverage a vulnerability (CVE-2023-343621) within the MOVEit file transfer platform2.Clop is commonly deployed via phishing campaigns, although recent reporting has indicated that the Russian-speaking threat group ‘Silence’ is now disseminating the ransomware via their TrueBot malware. Other methods for initial access are known, such as the exploitation of zero-day vulnerabilities, but are largely associated with Clop’s affiliates rather than the ransomware itself.

Clop is designed to impact devices using Windows operating systems and is commonly disseminated as a Wi n32 executable written in C++. Early samples of Clop were commonly packed, signed using certificates that were frequently rotated, and implemented runtime checks that would keep the ransomware from executing if previous requirements were unmet, to make detection and analysis more difficult. These early samples would create new threads, a new mutex, enumerate running processes and enumerate network shares to handle the encryption process and identify networked devices that the ransomware can spread to. Finally, the ransomware generates random AES keys for encryption, encrypts each byte of a targeted file, and appends the encrypted file with “Clop^_”. The AES key is encrypted with a master RSA key to deter third-party decrypters. Recent versions of Clop are similar to early versions of the ransomware but include bug patches and performance tweaks. Attack chains where Clop is employed are highly disparate, due to the nature of RaaS and the fact that Clop affiliate threat actors are the ones performing the actual attacks instead of Clop developers.