2023 CL0P Growth
CL0P emerged in early 2019, first launching as a more advanced version of its predecessor “CryptoMix” ransomware, brought by its owner CL0P Ransomware, a cybercriminal organization. Over the years, the organization has remained active between 2020 and 2022, carrying out major activities. But in 2023, the CL0P ransomware gang took itself to new heights, becoming one of the most active and successful ransomware groups in the world.
Exploiting countless vulnerabilities and vulnerabilities in some of the largest organizations in the world. The Russian gang’s name is taken from the Russian word “klop”, which translates to “bug” and is usually written as “CLOP” or “cl0p”. Once the victim’s files are encrypted, a “.clop” extension is added to their files.
CL0P methods and strategies
The CL0P ransomware group (closely associated with the TA505, FIN11, and UNC2546 cybercriminal groups) is known for its extremely destructive and aggressive campaigns that have targeted large organizations around the world in 2023. The “big game Hunter” ransomware group uses “steal, encrypt and exfiltrate” methods to target a number of large companies with particular interests in the financial, manufacturing and healthcare industries.
CL0P operates a ransomware-as-a-service model (RaaS) that often employs the “steal, encrypt, and exfiltrate” tactics common among many ransomware affiliates around the world. If victims fail to meet the requirements, their data will be released through the group’s Tor-hosted leak site “CL0P^_-LEAKS.” Like many other Russian-speaking cyber gangs, their ransomware does not work on devices located in the Commonwealth of Independent States (CIS).
LockBit also operates on a ransomware-as-a-service (RaaS) model.
Simply put, this means that affiliates are required to pay a deposit to use the tool and then share the ransom with the LockBit group. Some affiliates reportedly received as much as 75% of the shares. The operators of LockBit have advertised their affiliate program on Russian-speaking criminal forums, stating that they will not operate in Russia or any CIS country, nor will they work with English-speaking developers unless there is a Russian-speaking “guarantor” They provide guarantees. – “The proliferation of LockBit ransomware”
SecurityHQ’s Global Threat Landscape Forecast 2024 talks about CL0P’s resurgence in the ransomware space and the ransomware to watch in 2024.
Third most prolific group in 2023
After examining data from “CL0P^_-LEAKS,” SecurityHQ’s threat intelligence team was able to collect data on various cybercriminal groups around the world and help visualize the rise in CL0P activity in 2023. The remaining transformation of these groups from being the most active ransomware group in 2022 to becoming the third most active ransomware group in 2023 should not be taken lightly.
©2024 SecurityHQ, SecurityHQ 2023 data on threat groups |
latest events
For a month in March 2023, the CL0P ransomware gang attempted to exploit the “Fortra GoAnywhere MFT” zero-day vulnerability. Tracked as CVE-2023-0669, an attacker could obtain RCE by exploiting an unpatched version of the software with Internet access. The vulnerability was patched the next day, but the group has successfully targeted more than 100 organizations.
Then, in April, Microsoft discovered the involvement of two ransomware groups (CL0P and LockBit) who were exploiting tracked CVE-2023-27350 and CVE-2023-27351. Included in print management software called PaperCut, a common tool used by all major printing companies around the world. These groups were able to exploit this vulnerability to successfully deploy the notorious TrueBot malware used months ago. This is a perfect target for groups like CL0P, whose strategy is no longer just about encrypting files, but more about exfiltrating data to further blackmail the organization. This works great because Papercut has a “Print Archive” tool that saves any job/document sent through its server.
The group’s major activity occurred in May; the widely used MOVEit Transfer (CVE-2023-24362) and MOVEit Cloud Software (CVE-2023-35036) were actively exploited via an unknown SQL injection vulnerability. CL0P is able to exploit vulnerable networks and systems extremely quickly to extract sensitive data from some of the world’s largest organizations (BBC, EY, PwC, Gen Digital, British Airways, TFL, Siemens, etc.). The group said it had deleted all data related to the government, military and hospitals, but since multiple U.S. government agencies were affected by the MOVEit vulnerability, it is offering a $10 million reward that could help connect them to foreign agents.
The lasting impact of the quadruple blackmail
Not only did the group play a major role in the influx of ransomware activity in 2023, but it was almost entirely responsible for the dramatic increase in average ransomware payouts.
The operators of CL0P are known for going to great lengths to get their message across. After evidence of an organizational breach is publicly displayed, material is posted on a leaked website, and their messages are ignored, they will contact stakeholders and senior executives directly to ensure their demands are met. This is called quadruple blackmail.
From one extortion to two, two to three, and now four extortions, it’s fair to say that ransomware gangs won’t stop until they get what they want. Just like double or triple extortion, quadruple extortion adds a new dimension that comes in the form of two main avenues.
- The first is a DDoS attack, which aims to shut down an organization’s online operations until a ransom is paid.
- Harassment from various stakeholders (customers, media, employees, etc.) increases the pressure on decision-makers.
Best Defense CL0P Group Defense CL0P
To protect against CLOPs in 2024, SecurityHQ recommends:
- Pay attention to your landscaping and surroundings. Understand what is normal and what is not normal in your environment so you can take action quickly.
- Develop and review your incident response plan and show clear steps to take action if the worst happens.
- Ensure threat monitoring is in place to quickly identify threats.
- Review current cybersecurity practices to ensure best practices are being used.
- Those businesses with higher risks, such as those in industries specifically targeted by CLOP (financial, manufacturing, healthcare) or those holding sensitive information, should work with an MSSP to ensure best security practices are in place.
The future of threat intelligence
SecurityHQ’s Threat Intelligence team is a cohesive global unit dedicated to cyber threat intelligence. Their team focuses on researching emerging threats and tracking the activities of threat actors, ransomware groups and campaigns to ensure they stay ahead of potential risks. In addition to investigative work, the intelligence team provides actionable threat intelligence and research that enriches the understanding of SecurityHQ’s customers around the world. The SecurityHQ threat intelligence team is driven by a shared commitment to providing the insights you need to confidently navigate the complex cybersecurity threat landscape.
For more information about these threats, ask the experts here. Alternatively, if you suspect a security incident has occurred, you can report the incident here.
notes: This professional article was written by Patrick McAteer, Cyber Threat Intelligence Analyst at SecurityHQ Dubai, who specializes in analyzing evolving cyber threats, identifying risks, and writing actionable intelligence reports to enhance proactive defenses.
4 Comments
Pingback: CL0P ransomware epidemic – security measures in 2024 – Tech Empire Solutions
Pingback: CL0P ransomware epidemic – security measures in 2024 – Paxton Willson
Pingback: CL0P ransomware epidemic – security measures in 2024 – Mary Ashley
I don’t think the title of your article matches the content lol. Just kidding, mainly because I had some doubts after reading the article. https://www.binance.com/en-ZA/register?ref=JHQQKNKN