# Ransomware Spotlight: Clop **trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-clop** X Clop By Trend Micro Research We take a closer look at the operations of Clop, a prolific ransomware family that has gained notoriety for its high-profile attacks. We review this ransomware group’s constantly changing schemes and discuss how companies can shore up defenses against this threat. ----- View infographic of "Ransomware Spotlight: Clop" [Clop (sometimes stylized as “Cl0p”) has been one of the most prolific ransomware families in the past three years. It has gained infamy for](https://www.trendmicro.com/vinfo/tr/security/definition/ransomware) compromising high-profile organizations in various industries worldwide using multilevel extortion techniques that resulted in huge payouts estimated at US$500 million as of November 2021. In concerted efforts to dismantle ransomware cartels, a global coalition across five [continents that involved law enforcement and private partners led to the arrests in Ukraine of six suspected Clop members in June 2021.](https://www.trendmicro.com/en_us/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html) While the arrests in Ukraine might have dealt a big blow to Clop’s operations, the group’s criminal activities have gone unabated: Our [detections of attack attempts showed non-stop malicious activities from January 2021 to January 2022. Reports mentioned that only parts of](https://www.bleepingcomputer.com/news/security/clop-ransomware-is-back-in-business-after-recent-arrests/) the ransomware’s operations, such as the server infrastructure used by affiliates to disseminate the malware and the channels used to launder cryptocurrency ransom payments that were illegally obtained, were seized and taken down, respectively. As enterprises ponder on ways to bolster their security defenses in the post-pandemic era, learning more about potential threats is essential to adopting a proactive cybersecurity approach. In this report, we focus the spotlight on the notorious Clop ransomware’s operations. ## History of Clop [Clop evolved as a variant of the CryptoMix ransomware family. In February 2019, security researchers discovered the use of Clop by the threat](https://www.webroot.com/blog/2016/07/22/about-cryptomix-ransomware/) [group known as TA505 when it launched a large-scale spear-phishing email campaign. Clop is an example of ransomware as a service](https://www.trendmicro.com/vinfo/tr/security/definition/spear-phishing) [(RaaS) that is operated by a Russian-speaking group. Additionally, this ransomware used a verified and digitally signed binary, which made it](https://www.cybereason.com/blog/cl0p-ransomware-gang-tries-to-topple-the-house-of-cards) look like a legitimate executable file that could evade security detection. In 2020, it was reported that FIN11 — a financially motivated hacking group — deployed Clop ransomware and threatened their victims to [publish exfiltrated data. FIN11 exploited zero-day vulnerabilities in the legacy file transfer appliance (FTA) of Kiteworks (formerly known as](https://www.trendmicro.com/vinfo/tr/security/definition/zero-day-vulnerability) Accellion) to infiltrate the network of the victims. It then aimed to deliver the Clop ransomware as its payload and steal data as well. [Researchers also discovered that the group used a specific web shell that was referred to as “DEWMODE” to exfiltrate stolen information from](https://success.trendmicro.com/solution/000283514) its victims. Researchers found two groups of malicious actors that have known connections to FIN11 and identified them as UNCA2546 and UNCA2582. [These were also the groups responsible for the massive attacks on Kiteworks users.](https://www.kiteworks.com/sites/default/files/resources/accellion-company-overview.pdf) [The operators behind Clop made their first attempt at using the double extortion scheme in April 2020 when they publicized the data of](https://www.trendmicro.com/vinfo/tr/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti) a [pharmaceutical company on their leak site. Clop’s dedicated leak site hosts its list of victims, which has markedly grown since its launch.](https://techcrunch.com/2020/04/27/execupharm-clop-ransomware/) Over time, the gang’s extortion tactics have become more sophisticated and thus more destructive. [In November 2021, security researchers detected malicious activity by Clop operators that exploited a SolarWinds Serv-U vulnerability to](https://www.bleepingcomputer.com/news/security/clop-gang-exploiting-solarwinds-serv-u-flaw-in-ransomware-attacks/) breach corporate networks and deliver the Clop ransomware as a payload. The Serv-U Managed File Transfer and Serv-U Secure FTP remote [code execution (RCE) vulnerability tracked as CVE-2021-35211 allowed RCE on the vulnerable server with elevated privileges](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35211#:~:text=Microsoft%20discovered%20a%20remote%20code,machine%20hosting%20Serv%2DU%20Only.) ----- a t e se ces g a t t eadqua te s S gapo e a so e p ey to C op o e be 0, t as epo ted t at C op b eac ed ts systems to steal classified proprietary commercial information and employee data that included bank account details, payroll information, passports, email addresses, and internal correspondence, among others. ## An overview of Clop operations The Clop ransomware appends the “.ClOP” (“Clop” spelled with a small “L”) extension to the files it encrypts. Researchers also discovered that Clop targets a victim’s entire network instead of just individual computers. This is made possible by hacking into the Active Directory (AD) server before the ransomware infection to determine the system’s Group Policy. This allows the ransomware to persist in the endpoints even after incident responders have already cleaned them up. [Previous attacks by the TA505 group saw the delivery of the Clop malware as the final stage of its payload in massive phishing campaigns.](https://www.hornetsecurity.com/en/security-information/clop-clop-ta505-html-malspam-analysis/?_adin=11551547647) The malicious actors would send spam emails with HTML attachments that would redirect recipients to a macro-enabled document such as an [XLS file used to drop a loader named Get2. This loader facilitates the download of various tools such as SDBOT,](https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/SDBOT/) [FlawedAmmyy, and](https://success.trendmicro.com/solution/1123301-flawedammyy-malware-information#:~:text=FlawedAmmyy%20is%20a%20remote%20access,on%20leaked%20Ammyy%20Admin%20software.&text=Upon%20infection%2C%20the%20RAT%20can,Capture%20screenshots) Cobalt Strike. Once the malicious actors intrude into the system, they proceed to reconnaissance, lateral movement, and exfiltration to set the stage for deployment of the Clop ransomware. The operators behind Clop coerce their victims by sending out emails in a bid for negotiations. They also resort to more severe threats such as publicizing and auctioning off the stolen information on their data leak site “Cl0p^_-Leaks” if their messages are ignored. They have also gone to the extent of using [quadruple extortion techniques, which have involved going after top executives and](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti) [customers to pressure companies](https://securityaffairs.co/wordpress/116029/cyber-crime/clop-ransomware-extortion.html) into settling the ransom. Having established itself well in the world of cybercrime, the Clop ransomware gang is deemed as a trendsetter for its ever-changing tactics, techniques, and procedures (TTPs). Indeed, the group’s Kiteworks FTA exploits set a new trend as these significantly pulled up the average ransom payments for the first quarter of 2021. A [report that cited Coveware’s findings revealed that the average ransomware payments](https://www.bleepingcomputer.com/news/security/accellion-data-breaches-drive-up-average-ransom-price/) significantly went up to US$220,298, which is an increase of 43%. It also said that the median ransom payment increased sharply to US$78,398 from US$49,459, which translates to a 60% hike. ## Top affected countries and industries In this section, we discuss Trend Micro™ Smart Protection Network™ (SPN) data on detections of Clop attempts to compromise organizations. Our detections reveal that the US had the largest number of attack attempts at 2,214 followed by Spain at a distant second with 505 attempts. The rest of the detections are spread across North America, South America, Asia Pacific, Europe, and the Middle East. Figure 1. 10 countries with the highest number of attack attempts per machine for the Clop ransomware (January 1, 2021 to January 31, 2022) While other known RaaS operators claim to avoid the healthcare sector as a target out of humanitarian consideration, our detections reveal that this is not the case for Clop, as this sector received the highest number of detections at 959, followed by the financial industry at 150. Figure 2 shows the breakdown of detections according to industry. ----- Figure 2. 10 industries with the highest number of attack attempts per machine for the Clop ransomware (January 1, 2021 to January 31, 2022) _Source: Trend Micro Smart Protection Network infrastructure_ By breaking down the detections per month, we are able to determine that 2021 saw the peak of Clop attacks in June of the same year at 784 attack attempts. March also saw a steep rise in attempts at 663, which was significantly higher than the detections in prior months. Our detections suggest that Clop operations have remained robust as numbers consistently straddled the 300 to 400 range from July 2021 to January 2022. Figure 3. Monthly breakdown of detections per machine for the Clop ransomware (January 1, 2021 to January 31, 2022) _Source: Trend Micro Smart Protection Network infrastructure_ We also looked into Clop’s leak site to gain insights into the operators’ successful attacks from December 16, 2021 to January 15, 2022. During this period, only two organizations — both small businesses — were successfully compromised by Clop operators. One organization belongs to the legal sector, while the other belongs to the fashion and apparel sector. Both organizations are based in North America, and as observed in the aforementioned period, have yet to pay ransom. ## Infection chain and techniques The Clop ransomware that TA505 first distributed evaded detection by using a binary that was digitally signed and verified to make it seem like a legitimate executable file. The group launched a large volume of spear-phishing emails that were sent to the employees of an organization to trigger the infection process. Figure 4 shows the infection chain. ----- Figure 4. The first infection chain of TA505 In January 2020, TA505 changed the flow of infection by using SDBOT alone to collect and exfiltrate data to the command-and-control (C&C;) server. Figure 5 shows the modified infection chain. Figure 5. The modified infection chain of TA505 Figure 6. The infection chain of FIN11 Figure 6 shows the infection chain of FIN11’s exploit of the multiple zero-day vulnerabilities in Kiteworks’ FTA so that it could install a newly discovered web shell, DEWMODE. FIN11 then used this same web shell to exfiltrate data from the FTA and deliver the Clop ransomware as a payload. **Initial Access** ----- e t eat acto s be d t e C op a so a e use a estab s ed et o o a ates to ga t a access a d se d a a ge o u e o spea phishing emails to employees of an organization to induce infection. The malicious actors use a compromised RDP to penetrate the system either by attempting to brute-force passwords or by exploiting some known vulnerabilities. The following are the Kiteworks FTA zero-day exploits that they used in early 2021: CVE-2021-27101 – SQL injection via a crafted host header CVE-2021-27102 – Operating system command execution via a local web service call CVE-2021-27103 – SSRF via a crafted POST request CVE-2021-27104 – Operating system command execution via a crafted POST request The ransomware group was reported to have exploited the SolarWinds Serv-U product vulnerability tagged as CVE-2021-35211. **Discovery** Clop’s ransomware toolkit contained several malware types to harvest information: FlawedAmmyy remote access trojan (RAT) collects information and attempts to communicate with the C&C; server to enable the download of additional malware components. After getting through the AD server, it will download an additional hacking tool, Cobalt Strike. SDBOT, another RAT, propagates the infection in many ways, including exploiting vulnerabilities and dropping copies of itself in removable drives and network shares. It is also capable of propagating when shared through peer-to-peer (P2P) networks. Malicious actors use SDBOT as a backdoor to enable other commands and functions to be executed in the compromised computer. **Lateral Movement, Discovery, and Defense Evasion** At this stage, the malware scans for the workgroup information of the machine to distinguish personal machines from enterprise ones. If the workgroup is the default by value, the malware will stop malicious behavior and delete itself. If the AD server domain is returned, a machine [gets classified as a corporate machine. The malware attempts to hack the AD server using Server Message Block (SMB) vulnerabilities and](https://thehackernews.com/2020/06/SMBleed-smb-vulnerability.html) using the added downloaded hacking tool Cobalt Strike. Cobalt Strike is a known tool for post-exploitation that has been previously connected [to other ransomware families. Meanwhile, TinyMet is used to connect the reverse shell to the C&C; server. The AD server admin account is](https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/hacktool.win32.tinymet.k/) used to propagate the Clop ransomware to internal network machines. As for SDBOT, it uses application shimming to preserve the continuity of the attack and to avoid detection. **Exfiltration** One attack was observed as using DEWMODE to exfiltrate stolen data. **Impact** The ransomware payload that terminates various Windows services and processes proceeds to its encryption routine. ## MITRE tactics and techniques **Initial** **Access** **Execution** **Persistence** **Privilege** **Escalation** **Defense Evasion** **Discovery** **Lateral** **Movement** **Collection** ----- **Initial** **Access** **Execution** **Persistence** **Privilege** **Escalation** **Defense Evasion** **Discovery** **Lateral** **Movement** **Collection** **T1566.001 -** Phishing: Spearphishing attachment _Arrives via_ _phishing_ _emails that_ _have Get2_ _Loader,_ _which will_ _download the_ _SDBot and_ _FlawedAmmy_ _RAT_ **T1190 -** Exploit public-facing application _Arrives via_ _any the_ _following_ _exploits:•_ _CVE-2021-_ _27101• CVE-_ _2021-27102•_ _CVE-2021-_ _27103• CVE-_ _2021-27104•_ _CVE-2021-_ _35211_ **T1078 - Valid** accounts _Have been_ _reported to_ _make used of_ _compromised_ _accounts to_ _access_ _victims via_ _RDP_ **T1106 - Native API** _Uses native API to_ _execute various_ _commands/routines_ **T1059 - Command** and scripting interpreter _Uses various_ _scripting_ _interpreters like_ _PowerShell,_ _Windows command_ _shell and Visual_ _Basic (macro in_ _documents)_ **T1204 - User** executionUser _execution is_ _needed to carry out_ _the payload from_ _the spear-phishing_ _link/attachments_ **T1547 -** Boot or logon autostart execution _Creates_ _registry run_ _entries to_ _execute the_ _ransomware_ _as a service_ **T1543.003** - Create or modify system process: Windows service _Creates a_ _service to_ _execute the_ _ransomware_ **T1484.001 -** Domain Policy modification: Group Policy modification _Uses stolen_ _credentials_ _to access_ _the AD_ _servers to_ _gain_ _administrator_ _privilege and_ _attack other_ _machines_ _within the_ _network_ **T1068 -** Exploitation for privilege escalation _Makes use_ _of CVE-_ _2021-27102_ _to escalate_ _privilege_ **T1574 -** Hijack execution flow _UAC bypass_ **T1036.001 - Masquerading:** invalid code signature _Makes use of the following_ _digital signatures:• DVERI•_ _FADO• TOV_ **T1562.001 - Impair** defenses: disable or modify tools _Disables security-related_ _software by terminating_ _them_ **T1140 -** Deobfuscate/Decode files or information _The tool used for_ _exfiltration has a part of its_ _malware trace removal,_ _and it drops a base-64_ _encoded file._ **T1070.004 - Indicator** removal on host: file deletion _Deletes traces of itself in_ _the infected machine_ **T1055.001 - Process** injection: DLL injection _To deliver other tools and_ _payload, a tool has the_ _capability to inject its_ _downloaded payload._ **T1202 - Indirect command** execution _A startup script runs just_ _before the system gets to_ _the login screen via startup_ _registry._ **T1070.001 - Indicator** removal on host: clear Windows event logs _Clears the Event Viewer_ _log files_ **T1083 - File** and directory discovery _Searches for_ _specific files_ _and the_ _directory_ _related to its_ _encryption_ **T1018 -** Remote system discovery _Makes use of_ _tools for_ _network scans_ **T1057** - Process discovery _Discovers_ _certain_ _processes for_ _process_ _termination_ **T1082 - System** information discovery _Identifies_ _keyboard layout_ _and other_ _system_ _information_ **T1012 - Query** registry _Queries certain_ _registries as_ _part of its_ _routine_ **T1063 -** Security software discovery _Discovers_ _security_ _software for_ _reconnaissance_ _and termination_ **T1570 -** Lateral tool transfer _Can make use_ _of RDP to_ _transfer the_ _ransomware_ _or tools within_ _the network_ **T1021.002 -** Remote services: SMB/Windows admin shares _Drops a copy_ _of the payload_ _to the_ _compromised_ _AD and then_ _create a_ _service on the_ _target_ _machine to_ _execute the_ _copy of the_ _payload_ **T1005 -** Data from local system _Might_ _make use_ _of RDP to_ _manually_ _search for_ _valuable_ _files or_ _information_ ## Summary of malware, tools, and exploits used Security teams can watch out for the presence of the following malware tools and exploits that are typically used in Clop attacks: **Lateral** **Movement** **Command** **and Control** **Defense Evasion** **Exfiltration** **Initial Entry** **Execution** **Discovery** **Privilege** **Escalation** ----- **Lateral** **Movement** RDP Cobalt Strike **Command** **and Control** **Defense Evasion** **Exfiltration** TinyMet SDBOT Uses application shimming to maintain continuity of the attack and to avoid detection Active Directory Server Admin Account New account creation to propagate the payload throughout the network **Initial Entry** **Execution** **Discovery** Phishing emails Exploits: CVE202127101 CVE202127102 CVE202127103 CVE202127104 CVE202135211 ## Recommendations Get2 Loader FlawedAmmyy RAT SDBOT **Privilege** **Escalation** CVE202127102 DEWMODE Despite last year’s arrests of alleged members of the Clop ransomware cartel in Ukraine, our detections of this ransomware indicate that the group is still a potential threat and might strike anytime. Moreover, the operators behind Clop are known to regularly change their TTPs, which means that expecting them to sharpen the proverbial saw is par for the course. It is therefore best to stay vigilant and armed with the knowledge that ransomware operators are always waiting for a chance to pounce on their next victim. To protect systems against similar threats, organizations can establish security frameworks that allocate resources systematically for establishing a strong defense strategy against ransomware. Here are some best practices that organizations can consider: **Audit and inventory** Take an inventory of assets and data. Identify authorized and unauthorized devices and software. Make an audit of event and incident logs. **Configure and monitor** Manage hardware and software configurations. Grant admin privileges and access only when necessary to an employee’s role. Monitor network ports, protocols, and services. Activate security configurations on network infrastructure devices such as firewalls and routers. Establish a software allowlist that only executes legitimate applications. **Patch and update** Conduct regular vulnerability assessments. Perform patching or virtual patching for operating systems and applications. Update software and applications to their latest versions. To prevent attacks like the Kiteworks FTA exploits, update to and patch the latest version of the FTA to clear the zero-day vulnerabilities that were released by the malicious actors and dedicated to the attack signatures. **Protect and recover** ----- Implement data protection, backup, and recovery measures. Enable multifactor authentication (MFA). **Secure and defend** Employ sandbox analysis to block malicious emails. Deploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and network. Detect early signs of an attack such as the presence of suspicious tools in the system. Use advanced detection technologies such as those powered by AI and machine learning. **Train and test** Regularly train and assess employees on security skills. Conduct red-team exercises and penetration tests. A multilayered approach can help organizations guard the possible entry points into the system (endpoint, email, web, and network). Security solutions that detect malicious components and suspicious behavior could also help protect enterprises. [Trend Micro Vision One™ provides multilayered protection and behavior detection, which helps block questionable behavior and tools](https://www.trendmicro.com/en_us/business/products/detection-response.html) early on before the ransomware can do irreversible damage to the system. [Trend Micro Cloud One™ Workload Security protects systems against both known and unknown threats that exploit vulnerabilities. This](https://www.trendmicro.com/en_us/business/products/hybrid-cloud/cloud-one-workload-security.html) protection is made possible through techniques such as virtual patching and machine learning. [Trend Micro™ Deep Discovery™ Email Inspector employs custom sandboxing and advanced analysis techniques to effectively block](https://www.trendmicro.com/en_us/business/products/user-protection/sps/email-and-collaboration/email-inspector.html) malicious emails, including phishing emails that can serve as entry points for ransomware. [Trend Micro Apex One™ offers next-level automated threat detection and response against advanced concerns such as fileless threats](https://www.trendmicro.com/en_us/business/products/user-protection/sps/endpoint.html) and ransomware, ensuring the protection of endpoints. ## Indicators of Compromise (IOCs) The IOCs for this article can be found [here. Actual indicators might vary per attack.](https://documents.trendmicro.com/images/TEx/articles/Indicators_of_Compromise_(IOC)_-_Clop_Ransomware-vwbhYHm.txt) HIDE **Like it? Add this infographic to your site:** 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V). Image will appear the same size as you see above. -----