Responsible for a number of infamous 'big game hunter' ransomware attacks and believed active since at least 2019, the ransomware threat group dubbed 'CL0P' is thought to be a Russian-language cybercriminal gang and have been widely reported as associated with, or their malware adopted by, other cybercriminal groups including 'FIN11', a part of the larger financially-motivated 'TA505' group, and 'UNC2546'.
Utilizing common 'steal, encrypt and leak' tactics as employed by most big game hunter ransomware groups, victims failing to meet their ransom demands are promptly 'named and shamed' on 'CL0P^_- LEAKS', the group's Tor-hosted leak site (Figure 1).
Figure 1 - CL0P Leak Site (Tor)
Typically these leaks include document excerpts and/or screenshots as 'proof' of compromise (Figure 2) followed by the periodic release of stolen data sets until such time that either the victim capitulates or all stolen data has been leaked.
Figure 2 - Example data leak
Consistent with many big game hunter ransomware campaigns, target organizations do not appear to belong to any specific industry or region and are more than likely selected based on being vulnerable to some known vulnerability and/or having the ability to pay a substantial ransom.
Furthermore, and as expected of many Russian-language threat groups, organizations within the Commonwealth of Independent States (CIS) are seemingly precluded from attack.
Having previously targeted high-profile organizations including a Fortune 500 company and a multi-billion (US) dollar law firm, recent victims include a multinational household name within the oil and gas industry, a UK-based logistics company and numerous higher-education establishments.
Whist CL0P are thought to make use of broad malicious email (malspam) campaigns to identify potential corporate victims, recent evidence suggests that vulnerabilities in public-facing infrastructure are being exploited to gain a foothold within a victim network.
The prevalence of this exploit and intrusion tactic, and its successfully utilization by various big game hunter ransomware gangs, reinforces the need for organizations to take patch management seriously so as to minimize the window of attack for any identified vulnerability.
Notably of late, CL0P have utilized this tactic in the targeting of organizations using a vulnerable version of 'Accellion FTA', a file transfer appliance. As such, following vulnerabilities have reportedly been exploited to gain access to victim data as well as potentially pivoting into victim networks:
- CVE-2021-27101 - Critical SQL Injection via a crafted Host header in versions ≤9_12_370;
- CVE-2021-27102 - Command execution via a local web service call in versions ≤9_12_411;
- CVE-2021-27103 - Critical server-side request forgery (SSRF) in versions ≤9_12_411;
- CVE-2021-27104 - Critical command execution via a crafted POST in versions ≤9_12_370.
In the case of malspam campaigns, the group are thought to send their initial lures during the working week to ensure that the recipient is able to view the email and potentially infect themselves. Conversely, the network intrusion and ransomware deployment phases are reportedly conducted around the weekend in an attempt to minimize the chance of detection as well as potentially increasing the success of the encryption phase given that a lot of corporate data would be under-utilized and therefore not 'locked' open.
Finally, likely in an attempt to 'cascade' their ransomware threat and target other organizations, CL0P malspam campaigns have been observed as using data stolen from existing victims. As such, customers, partners or vendors of any victim organization could potentially be targeted with incredibly convincing email lures, especially if the group were to infiltrate and send malicious email lures from the original victim's email server.
Data Theft Phase
Although the initial infection vector may differ from one victim to another, CL0P's objectives upon network intrusion remain consistent: the exfiltration of sensitive and valuable data prior to encryption in order to exert maximum pressure on victims and encourage prompt payment of ransom demands.
Likely commencing with a thorough reconnaissance phase, data stolen by the group typically includes customer, employee and financial records, likely of value to fraudsters, as well as sensitive emails, documents and intellectual property that could be damaging in the hands of competitors or when shared publicly.
In addition to the wholesale theft of data from file servers and network storage devices, a task made all the easier by the recent exploitation of file transfer appliances that already contain a wealth of data, CL0P have repeatedly demonstrated their ability to gather large data stores including those used by database and email servers.
Having exfiltrated any potentially valuable data, a victim specific ransomware threat is deployed by and commences a preparatory phase in which services related to various applications, such as backup software and database servers, are stopped using the Windows
net.exe command line utility to allow 'open' or 'locked' data to be encrypted, for example:
cmd.exe /C net stop BackupExecAgentBrowser /y
Additionally, a number of application tasks are forcibly terminated, as specified by the
/F using the Windows
taskkill.exe command line utility, for example:
cmd.exe /C taskkill /IM powerpnt.exe /F
Given that Windows provides functionality to create point-in-time backup copies of data through the Volume Shadow Copy Service (known as VSS), it is common for malware and ransomware authors to utilize the VSS administrative tool
vssadmin.exe to delete any existing shadow copies and prevent data restoration:
vssadmin delete shadows /all /quiet
In CL0P's case, both the typical 'delete' operation has been observed as well as the 'resize' operation which reduces the amount of disk space allocated to shadow copy storage, for example:
cmd.exe /C vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
In addition to the resize operation resulting in insufficient disk space being allocated for the volume of file changes occurring during the encryption phase, a high volume of disk input/output operations can result in the VSS process being overwhelmed and the snapshot being deleted anyway.
Based on the use of a ransomware binary specific to the victim, including an embedded 1024-bit RSA public key and a unique ransom note, multiple processing threads are spawned to read each target file into memory, encrypt the data using the Windows CryptoAPI and then writing this encrypted data to a new file before the original is deleted (Figure 3).
Figure 3 - Encryption process (abridged) followed by original file deletion
The resulting encrypted files, in addition to having a
Clop^_- marker within the file (Figure 4), will have a filename extension that is typically some variation on the CL0P name such as
Figure 4 - Encrypted file marker
Created on a per victim basis and encrypted within the victim-specific ransomware sample, ransom notes are typically saved to each folder containing encrypted files and are named to attract attention from the victim, for example,
Having informed the victim of the network intrusion and data encryption, the ransom note typically contains victim-specific details of specific exfiltrated data as well as warning that non-compliance with the group's demands will result in data being published to their Tor-based leak site.
Unlike some groups and setting out an exact ransom sum and a cryptocurrency address for payment, CL0P provide multiple contact email addresses as well as, more recently, a link to an online chat feature on their Tor hidden service, that can be used to enter into 'negotiations'.
Based on previous campaigns, the email addresses provided within these ransom notes are hosted on privacy-focused email providers such as ProtonMail or Tutanova, and therefore provide some layer of anonymity to those behind the attack.
- Maintain a robust patch management process to ensure that security updates and patches are applied in a timely fashion, securing the low-hanging fruit and preventing known vulnerabilities from being exploited.
- Continuously monitor endpoint security events as an early warning of suspicious behaviour, for example, host-to-host communications indicating lateral movement or high-volume disk operations indicating mass file encryption or exfiltration.
- Consider monitoring for, and alerting on, the anomalous execution of legitimate Windows command line tools such as the use of
- Limit user permissions according to the principal of least privilege (POLP).
- Secure sensitive data, adhering to any legal or regulatory requirements, to prevent unauthorized access, be that internal or external in origin.
- Utilize application permit and deny lists to prevent the execution of unauthorized or unknown executables, such as those delivered as part of a broader attack.
- Ensure that disaster recovery plans and backup policies take into account regular backups, verification of data integrity and offline storage to facilitate restoration in the event of a catastrophic incident.
- Make use of network segregation to limit communications between nodes, especially end-points, to provide damage limitation and limit the propagation of threats.
- Disable administrative tools and script interpreters to prevent misuse by malicious payloads or threat actors.