Clop Ransomware

Clop is a type of ransomware that belongs to the CryptoMix family. It encrypts data and alters file names by adding the ‘.clop extension’ to each encrypted file. The name Clop is derived from the Russian word klop, which means bed bug. One of the advanced features of Clop ransomware is its attempt to disable Windows Defender and remove Microsoft Security Essentials, which aids in stealthy infiltration of the victim's system.

Key Highlights

●?The Clop ransomware, also called CLOP or Cl0p, recently targeted the MOVEit Transfer file-transfer platform, resulting in compromised networks worldwide. According to BlackBerry's Vice President of Threat Intelligence, Ismael Valenzuela, the attack on this and similar tools can expose sensitive information to threat actors.

● The Clop ransomware group has confirmed to BleepingComputer that they were responsible for the data-theft attacks on MOVEit Transfer. The attacks involved exploiting a zero-day vulnerability to breach servers belonging to hundreds of companies and stealing their data.

●?As per the Clop representative, they began exploiting the vulnerability on May 27th, coinciding with the extended US Memorial Day holiday, which Mandiant previously disclosed.

●?The Clop ransomware group often attacks during holidays when fewer people are working. This tactic helps them to exploit vulnerabilities on a larger scale since security measures might be more relaxed during those times.

● Clop did not reveal how many organizations were affected in the MOVEit Transfer attacks. However, they warned that their names would be shown on the data leak site if the victims did not pay the ransom.

● Initially, the gang did not demand ransom from the victims. They took time to review the stolen data, determined what was valuable, and hence planned to ask for ransom from the affected companies.

● During the recent GoAnywhere MFT attacks by Clop, the gang waited over a month before sending ransom demands to the affected organizations.

●?Surprisingly, without any request, the ransomware gang informed BleepingComputer that they had deleted all the stolen data from government organizations, the military, and children's hospitals during these attacks.

● BleepingComputer cannot verify the truthfulness of these claims, and just like any data-theft attack, all affected organizations should consider their data to be at risk of misuse. Taking immediate steps to protect and secure the data from potential abuse is essential.

● Although Clop initially operated as a ransomware group, they informed BleepingComputer that they are now shifting their focus away from encryption. Instead, they are more interested in stealing and using data to extort money from their victims.

Clop Ransomware v2

● Clop Ransomware v2, initially identified in October 2021, represents a significant upgrade from its predecessor, introducing new functionalities.

● A standout feature of Clop v2 is its implementation of double extortion. Beyond encrypting files, this version threatens to expose victim data unless the ransom is paid. This dual threat intensifies the impact, not only disrupting business operations but also jeopardizing sensitive information.

● Adding to its toolkit, Clop v2 extends its reach to cloud-based environments. Exploiting vulnerabilities in platforms like Microsoft Azure and Amazon Web Services, it poses a threat to organizations irrespective of data storage locations—be it on-premises or in the cloud.

Clop v2 introduces several additional features and capabilities, including:

●?Encryption functionality extended to Network Attached Storage (NAS) devices.

● Encryption capabilities expanded to cover files on Linux and macOS devices.

● Ability to disable antivirus and security software.

● Propagation through networks facilitated via brute-force attacks and phishing emails.

To reduce the risk of Clop ransomware, follow these steps:

● Keep an eye on network ports, protocols, and services. Set up security settings on devices like firewalls and routers.

● Constantly update your software and applications to the latest versions. Regularly check for vulnerabilities in your systems.

● Make a list of all your devices and data, and identify which ones are allowed and which are not.

● Only give admin privileges and access to those who genuinely need it. Create a list of approved software that is allowed to run on your systems.