Clop: Behind MOVEit Lies a Loud, Adaptable and Persistent Threat Group

MOVEit cyberattacks continue to grow, hitting more organizations every day. Emsisoft Threat Analyst Brett Callow said: counted The July 11, 2023 attacks affected 257 organizations and 17,750,524 individuals.

Meanwhile, the Clop ransomware group blamed for the attack continues to add names to the victim list of the leaked site, with new victims including major financial companies (Deutsche Bank, ING Bank, Japan Post Bank). and 25 US schools.

Listen to Infosecurity’s latest podcast episode to learn everything you need to know about the MOVEit supply chain attack

In an article published on July 10, David Wallace, Senior Threat Intelligence Analyst at Sophos, took a deep dive into Clop’s background and operations, as well as its Tactics, Techniques, and Procedures (TTPs).

Crops, Ransomware and Threat Actors

Crop (also spelled Cl0p) is Russian for “bed bug” and is a “hardy and persistent pest,” Wallace claimed in the post. It was originally the name of a new variant of the CryptoMix ransomware family first identified in 2019 and tracked by MITER as his S0611.

The threat group behind Kropp, a financially motivated organization now believed to operate in Russian-speaking countries, “has never been active in both Russia and Ukraine before 2022. We knew,” Wallace said.

The Clop ransomware gang is associated with various threat groups such as TA505 and FIN11. Wallace says recent recommendations from the FBI and the U.S. Cybersecurity, Infrastructure and Security Agency (CISA) refer to Clop and TA505 to the same group, while others say the three simply overlap. or suggest that FIN11 is a subset of TA505.

Clop recently collaborated with other groups such as DarkSide and FIN7 to use Ransomware as a Service (RaaS) toolkits for POS attacks and classic exploits.

Klopp prefers high-profile victims

Clop’s priority targets are large enterprises ($5 million or more in annual revenue) located in North America, Latin America, Europe and Asia Pacific, although some of the recent supply chain attacks have targeted smaller organizations in other markets. are also influencing. This group usually attacks victims while they are on vacation.

When first observed, the group relied primarily on phishing attempts, brute force attacks, and exploitation of known vulnerabilities.

They were one of the first threat groups to use the “Double Extortion” strategy, in which attackers were critical to leaking sites (“CL0P^_- LEAKS” sites accessible via Tor hidden services). threaten to release sensitive data. Victim refuses to pay. Initially, this was used in conjunction with decrypting previously encrypted data as an additional method of putting pressure on victims, but Clop and other threat actors have recently been working on full decryption of data. seems to be moving away from

According to Wallace, the group is also known for its innovative techniques. “For example, he was one of the first groups to use the tactic of extorting compromised targets to pay by emailing customers and partners of compromised sites” – and aggressively targeting large organizations. targeted and prioritized. It has become part of information security history as the cause of his over $20 million in the first known ransomware claim, which he made against Software AG in October 2020. “

Clop’s involvement in exploiting a critical zero-day vulnerability (CVE-2023-34362) in Progress Software’s MOVEit Transfer follows the GoAnywhere incident in February and the PaperCut incident in 2020. This is the third initiative to be implemented. April.

“Some of these efforts appear to be opportunistic, either as a result of the group selling its own ransomware tools or working with other groups. It seems to be the culmination of an effort and refinement process. […] Notably, the group has recently been consistently and aggressively targeting file transfer services, which tend to process data from a wide variety of systems, and thus many supply chains. may be viewed as a vulnerable point in ’” Read Wallace’s blog post.

Clop has been involved in high-profile attacks such as MOVEit, multiple vulnerabilities that have affected large companies such as the 2021 Accellion File Transfer Appliance (FTA), GoAnywhere, BBC, British Airways, Sony, Siemens Energy, EY and PwC. Involved on a regular basis. , in conjunction with those previously described.

In the case of the MOVEit attack, Clop hopes to negotiate the ransom directly with the victim, but “as of July 3, Sophos has no knowledge that the victim has actually paid the ransom.” added Wallace.

Many government agencies around the world were also affected by MOVEit attacks. But in mid-June, Klopp told groups affected by the attack: “If you’re a government, city or police person, don’t worry. We’ve wiped all your data. Contact us.” No need, we don’t have any,” he said in a statement. We are interested in making such information public. “

The US government is offering a bounty of up to $10 million for information on this threat group.

Explore Clop’s TTps

Like the eponymous pest, Klopp is a “loud, adaptable and tenacious player,” Wallace said.

Several tactics are employed during an attack to maximize impact and increase the chances of victims paying the ransom, but this varies from case to case.

Here are the typical five steps of an attack deployed by ransomware gangs:

1. Initial access: Clop typically uses social engineering techniques to target victims and gain initial access to networks through phishing emails, exploit kits, or exploiting software or system vulnerabilities. “One Sophos MDR client’s logs showed him 3689 Clop-driven attempts against his Ubiquity UniFi server to gain initial access,” Wallace noted.
2. Persistence: Clop maintains access to compromised systems through various methods. “In a recent case handled by his X-Ops incident response team at Sophos, the attacker initially chose to utilize Cobalt Strike Beacons to establish persistence on compromised machines. ‘ said Wallace.
3. Lateral movement: Once network access is established, Clop rolls sideways, searching for connected systems and infecting them. This lateral movement allows the ransomware to quickly deploy across networks, infecting infrastructure, encrypting many files, and maximizing the impact of operations. “In incidents Sophos observed, the attackers initially utilized a server her message block (SMB) connection before transitioning to an interactive Remote Desktop Protocol (RDP) session,” the blog said. The post is written.
4. extract: Before deploying ransomware, Clop often exfiltrates data such as employee personnel data, intellectual property, financial data, and customer information from compromised networks. This allows the group to rely on the threat of information leaks to pressure victims into paying high ransoms, giving them the clout they need to bolster the extortion part of the conspiracy. “One of the most frequently used tactics for exfiltration by Clop and similar groups is categorized by MITER as exfiltration via web services (T1567), which includes megasync, rclone, Filezilla, Windows Includes use of various third-party tools such as Secure’ copy. We are also looking at his C2-based approaches such as remote access software (T1219) and his Ingress Tool Transfer (T1105),” Wallace outlined. On the other hand, this group leaves its footprints all over the network and changes the extension of encrypted files to: [.]crop (or [.]CIIp or [.]C_L_O_P or similar).
5. Victim Notice: As is common with ransomware operators, after encrypting (and possibly exfiltrating) files, Clop leaves a README.TXT ransom note on the compromised system. This is where the target is informed of the price to (usually) decrypt the file. A distinctive choice as ransomware gangs often prefer to disclose prices to victims once a private chat is established. The same applies to instructions on how to provide it. I was asked to pay. Kropp usually, but not always, puts a deadline on the initial contact.

On rare occasions, Clop has also been observed participating in hacktivism campaigns performing distributed denial of service (DDoS) attacks.

“The benefits (monetary, loyalty, etc.) to Klopp participating in such campaigns are unknown, as well as the actual driving force behind the attack – hacktivism or just ransomware with additional pressure points.” Mr Wallace said.