Sangria Tempest threat actor group deploys Clop ransomware in attack campaign

Target Industry

Sangria Tempest targets organisations in the banking, retail and hospitality sectors for the purposes of financial gain.

Overview

The threat actor group tracked as Sangria Tempest (also known as FIN7) has been detected to have deployed Clop ransomware in their first attack campaign since the end of 2021. In the most recent wave of targeting, the threat group has used the POWERTRASH PowerShell script to implement a post-exploitation tool known as ‘Lizar’. The group then pivots to Open SSH and Impacket tooling to conduct lateral movement within the target network, whereby they deploy Clop ransomware.

Impact

Successful exploitation by Clop ransomware will result in the encryption and exfiltration of significant amounts of data held on the compromised device or system before a ransom of a predetermined amount is issued. The ransom fee demanded will almost certainly depend on the estimated value of the compromised organisation. Encrypted data may include private customer data, corporate finance data and system credentials. The double extortion method applied by Clop ransomware operators will almost certainly result in all stolen data being published to dark web forums, where there is a realistic possibility that stolen data will be used for initial compromise in future attacks.

Vulnerability Detection

A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against malware threats like Clop ransomware. EDR tools can alert system users of potential breaches and prevent further progress before the malware can implement significant damage.

Affected Products

– Windows OS

Containment, Mitigations & Remediations

It is strongly recommended that the following mitigation strategies are implemented to enhance the security posture of a network environment against a potential cyber-attack by Sangria Tempest:

• Do not open attachments embedded within emails from unverified senders
• Ensure that software updates are applied as soon as possible
• Conduct regular vulnerability scanning to identify and address security flaws, prioritising those on internet-facing devices
• Prioritise patching of internet-facing servers and software processing internet data, including web browsers, browser plugins, and document readers
• Regularly patch and update software and operating systems to the latest available versions
• Implement a cybersecurity user awareness and training programme that includes guidance on how to identify markers of phishing attempts
• Implement filters at the email gateway to filter out emails with known malicious indicators and block suspicious Internet Protocol (IP) addresses at the firewall
• Implement Domain-based Message Authentication, Reporting and Conformance (DMARC) policy and verification
• Consider disabling macro scripts for Microsoft Office files that are delivered via email
• Enforce multi-factor authentication (MFA) for all services to the furthest possible extent, prioritising webmail, virtual private networks, and accounts that access critical systems
• Apply the principle of least privilege to all systems and services
• Develop and regularly update a comprehensive network diagram that illustrates systems and data flows within the organisation’s network
• Implement network segmentation to maintain separation between IT and operational technology
• Restrict usage of PowerShell to specific users, typically only those users or administrators who manage the network
• Remain vigilant regarding suspicious phone calls, or email messages from individuals enquiring about employees or other internal information; if an unknown individual claims to be from a legitimate organisation, attempt to verify their identity directly with the associated company
• Do not provide personal or organisation information unless the requestee’s identity can be verified with a high level of confidence
• Do not reveal personal or financial information via email, and do not respond to email solicitations for this information
• Do not send sensitive information over the internet prior to verifying the security of the website
• Pay attention to the website Uniform Resource Locator (URL); look for URLs that begin with “https”, rather than “http”
• Install and maintain anti-virus software, firewalls, and email filters
• Apply anti-phishing features offered by your email client and web browser.

Indicators of Compromise

Clop ransomware associated domains:

– bak0-store[.]com

– xbox-ms-store-debug[.]com

– ms-pipes-service[.]com

– conversepharmagroup[.]com

– enssecurity[.]com

– ferran-services[.]com

– loeschgroup[.]de

– modetransportation[.]com

– ms-debug-services[.]com

– res-backup[.]com

– suntecktts[.]com

– vivalia[.]be

– applexus[.]com

– atapcoproperties[.]com

– bakkerheftrucks[.]com

– baltholding[.]eu

– boltburdonkemp[.]co[.]uk

– caracoltv[.]com

– empressems[.]com

– fed-gmbh[.]de

Clop ransomware associated file hashes (SHA-256):

– 2d50b03a92445ba53ae147d0b97c494858c86a56fe037c44bc0edabb902420f7

– a9741b16f4169f56ae0f2e49c87f3c5360ed5ab4370e6d16bd86179999f11795

– 7e39dcd15307e7de862b9b42bf556f2836bf7916faab0604a052c82c19e306ca

– c3743a8c944f5c9b17528418bf49b153b978946838f56e5fca0a3f6914bee887

– 46cd508b7e77bb2c1d47f7fef0042a13c516f8163f9373ef9dfac180131c65ed

– b95a764820e918f42b664f3c9a96141e2d7d7d228da0edf151617fabdd9166cf

– 092910024190a2521f21658be849c4ac9ae6fa4d5f2ecd44c9055cc353a26875

– 09d6dab9b70a74f61c41eaa485b37de9a40c86b6d2eae7413db11b4e6a8256ef

– 72813522a065e106ac10aa96e835c47aa9f34e981db20fa46a8f36c4543bb85d

– 7a64bc69b60e3cd3fd00d4424b411394465640f499e56563447fe70579ccdd00

– c3b3640ddf53b26f4ebd4eedf929540edb452c413ca54d0d21cc405c7263f490

– 1789ba9965adc0c51752e81016aec5749377ec86ec9a30449b52b1a5857424bf

– 1ef8cdbd3773bd82e5be25d4ba61e5e59371c6331726842107c0f1eb7d4d1f49

– 55d1480cd023b74f10692c689b56e7fd6cc8139fb6322762181daead55a62b9e

– 68a86858b4638b43d63e8e2aaec15a9ebd8fc14d460dd74463db42e59c4c6f89

– 7c79ec3f5c1a280ffdf19d0000b4bfe458a3b9380c152c1e130a89de3fe04b63

– 80b9c5ec798e7bbd71bbdfffab11653f36a7a30e51de3a72c5213eafe65965d9

Clop ransomware associated email addresses:

– Managersmaers[@]tutanota[.]com

– Unlock[@]goldenbay[.]su

– Kensgilbomet[@]protonmail[.]com

– Unlock[@]royalmail[.]su

– Servicedigilogos[@]protonmail[.]com

– Unlock[@]graylegion[.]su

– Unlock[@]eqaltech[.]su

Clop ransomware associated IP address:

– 45[.]227[.]253[.]102

Threat Landscape

Ransomware continues to be one of the prominent threats facing all industry sectors. Recent attacks, as well as the developing nature of the ransomware threat landscape, suggest that the threat is growing as cybercriminal groups are becoming more comfortable demanding ever-increasing ransom quantities.

The deployment of Clop ransomware by Sangria Tempest verifies the group’s continued reliance on different ransomware strains to target victims as they switch their financial strategy by pivoting from payment card data theft to extortion methods.

Threat Group

Sangria Tempest is a sophisticated threat actor group that is motivated by securing financial credentials and related data. Their methods of intrusion have developed since the group’s inception and include specially crafted phishing emails and documents, obfuscating hidden LNK shortcut files in DOCX and RTF documents, exploitation of both PowerShell commands and Microsoft Dynamic Data Exchange (DDE), and infiltrating POS systems in retail stores.

Mitre Methodologies

Execution Technique:

– T1059.001 – Command and Scripting Interpreter: PowerShell

Impact Technique:

– T1486 – Data Encrypted for Impact

Further Information

Clop Ransomware Report