On Jan. 4, the Health Sector Cybersecurity Coordination Center (HC3) published an analyst note on Clop ransomware. Clop operates under the Ransomware-as-a-Service (RaaS) model and HC3 is aware of attacks on the health and public health sector (HPH). The group was first observed in 2019 and targets organizations with a revenue of $5 million (USD) or higher.
The note states that “Clop ransomware, also written as Cl0p, was first observed in February 2019 and the operators have seen very large payouts of up to $500 million USD. Clop is the successor of the CryptoMix ransomware, which is believed to have been developed in Russia and is a popular payload for groups such as FIN11 and other Russian affiliates. Like most ransomware groups, financial gain appears to be their primary goal, which they leverage through the use of the double extortion model. Through this technique the threat actor will encrypt and exfiltrate sensitive information. Sensitive data will be released on their dark web leak site if payment is not made. This model is used so the actor can have additional leverage to help collect a ransom payment.”
Experts believed that incidents of Clop ransomware would decline in 2021 after six ransomware operators were arrested in 2021, but the malware remained active through 2022. Also, it has been found that it is a potential payload from the downloader malware, TrueBot. Clop has anti-analysis capabilities and anti-virtual machine analysis to help prevent further investigations in an emulated environment.
The analyst note adds that “Clop was written to target Windows systems, and some reporting samples showcase that it is a Win32 executable written in C++. The executable packet is compressed, which helps hide its functionality. The ransomware encrypts files with an RSA 1024-bit public key with RC4 that uses 117 bytes of the public key. Phishing emails have been a primary initial access vector for Clop, but reports have shown that it also exploits the following Common Vulnerabilities and Exposures (CVE): CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104, and CVE-2021-35211.”
Further, “Once a network has been compromised, they have been observed to use remote desktop protocols and deploying Cobalt Strike to aid in lateral movement. Finally, after encryption is complete, the victim will be able to access a dropped README.TXT, and the encrypted file’s extension will be changed to ‘Clop’. In the ransom note, it states that the Shadow Volume Copies have been deleted and the decryption key is only available from the group, along with claiming that all the files will be deleted after two weeks have passed.”
In the note, the analyst comment says that “The Clop ransomware has been around since 2019, and even though the organization had several members arrested, its activity appeared to be uninterrupted. However, the gang has had difficulties getting victims to payout on a ransom which has reportedly lead to a change in their tactics that directly impacts the HPH sector. The group has been infecting files that are disguised to look like medical documents, submitting them to facilities, and then requesting a medical appointment in hopes of those malicious documents being opened and reviewed beforehand. These attacks have a higher chance of working due to conditions from COVID-19 expansion in the telehealth environment.”
Other techniques observed outside of those listed in the note include
- Phishing
- Remote Desktop Protocol compromises and credential abuse
- Compromises of exploited vulnerabilities, such as VPN serves
- Compromises of other known vulnerabilities
