Clop Ransomware (TIR-20210419)

Overview of Clop Ransomware

This report is an overview of the Clop ransomware. Discovered in February of 2019, a recent increase in Clop attacks has been noticed by cybersecurity researchers. Notably, in March of 2021, the actor behind Clop attacked the well-known security firm Qualys, with the intention of leaking customer data. Palo Alto's Unit42 associates Clop ransomware with the group TA505 (Hive0065).

TIR-20210419 Tactics, Techniques, and Procedures

Clop infections can be detected through the “.clop” file extension that is added to files, though variants may include “.CIIp”, “.Cllp”, “.C_L_O_P”  and similar, along with an expected ransomware note. Like many ransomware campaigns, Clop is often delivered through phishing campaigns delivering documents with malicious macros. These macros are used to drop the “Get2” loader on the victim machine, which is used to download additional payloads/tools, including SDBot. Whichever tool is downloaded in the second stage, it is used to ultimately deliver and execute Clop.

Some notable techniques of the ransomware include:

• Defense Evasion – Kills processes for security solutions or backups to ensure effectiveness.
• VM detection – Clop attempts to detect and not execute within virtual environments to avoid analysis and detection.
• Code signing – Bypass security controls requiring executed files to be signed.

Business Unit Impact

• Clop ransomware may affect multiple industries, including but not limited to, retail, transportation and logistics, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services, and healthcare.
• The threat actor behind this ransomware is known to publish leaked data from attacks on the internet. Infections are guaranteed to lead to unauthorized data exfiltration and exposure, especially if the ransom is not paid.
• The true cost of ransomware infections can be in far excess of the demand due to a variety of factors like system downtime.

Our Recommendations

• Provide users with training on best practices to avoid phishing, as well as awareness of recent trends in phishing campaigns.
• Implement a regular backup schedule for systems, especially those with critical data.
• The linked Palo Alto Unit42 source post also provides a helpful table with recommended products and solutions.
• Deploy Endpoint Protection such as SentinelOne.

Sources

• https://unit42.paloaltonetworks.com/clop-ransomware/  
• https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clop-ransomware/
• https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter
• https://www.cpomagazine.com/cyber-security/infosec-firm-qualys-customer-data-leaked-in-a-suspected-ransomware-attack/
• https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader

MITRE ATT&CK Techniques

• Phishing
  • https://attack.mitre.org/techniques/T1566/
• Exploit Public-Facing Application
  • https://attack.mitre.org/techniques/T1190/
• Exfiltration Over C2 Channel
  • https://attack.mitre.org/techniques/T1041/
• Subvert Trust Control: Code Signing 
  • https://attack.mitre.org/techniques/T1553/002/
• Command and Scripting Interpreter: Windows Command Shell
  • https://attack.mitre.org/techniques/T1059/003/
• Virtualization/Sandbox Evasion
  • https://attack.mitre.org/techniques/T1497/
• Data Encrypted for Impact
  • https://attack.mitre.org/techniques/T1486/
• Group: TA505
  • https://attack.mitre.org/groups/G0092/

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.