The Threat of Clop Ransomware: How to Stay Safe and Secure

What is Clop ransomware?

Clop (also known as Cl0p) is an extortionist ransomware-type malware that originated in 2019 and operates on the Ransomware-as-a-Service (RaaS) model. Clop is a variant of the CryptoMix ransomware family and since its release, there have been several improved versions of the malware.

Examining the ransomware itself, Clop is a Win32 PE file that is distributed using executables that have been digitally signed by a verified signer—which makes it appear more legitimate, helping it bypass security software detection. Once Clop infiltrates the system, it then attempts to disable Windows Defender and remove the Microsoft Security Essentials.

For the last two years, Clop ransomware has stayed outside the spotlight ever since their high-profile attack on Accellion, which led to the arrest of six of their operators at the hands of the Ukrainian government. However, recently, Clop has made a significant impact on the cyber threat landscape.

Here are the latest developments that you need to know.

Clop’s latest ransomware attack

Throughout the first quarter of this year, Flashpoint has observed significant increases in Clop’s activity, with the ransomware group rising to have the second-largest number of victims—being only surpassed by LockBit.

This newfound success has been the result of exploiting a flaw in Fortra’s file-sharing solution GoAnywhere MFT (managed file transfer). Known as CVE-2023-0669, the GoAnywhere MFT vulnerability is a remote code execution (RCE) that potentially permits a remote attacker to execute arbitrary commands with a specially crafted request in the command console.

Leveraging the GoAnywhere MFT vulnerability, Clop has claimed to have obtained information for 130 companies, steadily releasing the names of their victims through their ransomware blog. At this time, according to Flashpoint’s data breach intelligence database Cyber Risk Analytics (CRA), only fourteen companies have publicly disclosed compromises associated with CVE-2023-0669. Several of these organizations are listed on Clop’s ransomware blog.

How to detect and prevent Clop ransomware

Given Clop’s new tactic of exploiting the GoAnywhere MFT vulnerability, the best way to prevent a potential data extortion event is to patch the vulnerability—information regarding the latest patch (7.1.2), in addition to comprehensive metadata can be found in VulnDB. Remediating CVE-2023-0669 is critical since threat actors and illicit communities are actively discussing how to scan for susceptible systems given Clop’s success with the vulnerability.

However, the GoAnywhere MFT vulnerability is not the only weapon in Clop’s digital arsenal. The ransomware group has been known to leverage DDoS and various phishing tactics in previous attacks. As such, organizations will need to ensure that they are following best practices and implementing proper security controls. Organizations can do the following to help prevent a data extortion event: 

1. Updating outdated devices and software using comprehensive vulnerability intelligence.
   
2. Prioritizing critical vulnerabilities known to be used in other ransomware attacks using tools such as VulnDB’s Ransomware Likelihood Prediction Model.
   
3. Frequently review administrator users, or accounts with high privilege levels while auditing admin logs for unusual activity.
   
4. Ensuring that the organization has proper cybersecurity training so that employees can identify and report suspicious email attachments and malicious links. 

Prevent and respond to a ransomware attack with Flashpoint

Ransomware response is equally as important as prevention. In the event that an organization is impacted by ransomware, having a well-practiced incident response plan can greatly minimize damages. To learn more about how Flashpoint empowers security teams to prevent and respond to ransomware attacks, contact us, or sign up for a free trial.