Clop Ransomware Attacks

Ransomware

May 23, 2024

In recent years, Clop (Cl0p) has emerged as a prominent and successful ransomware group that targets commonly used file transfer software such as MOVEit, GoAnywhere, and Accellion. In addition to social engineering and phishing tactics, they exploit zero-day vulnerabilities, impacting numerous organizations worldwide in one extensive campaign before going quiet for several months. Researchers analyzed vulnerability and ransomware trends that contributed to massive compromises and discovered that more mass compromise events occurred from zero-day vulnerabilities than known, or n-day, vulnerabilities for the second time in three years. They also referenced the Clop ransomware group and their large-scale, highly orchestrated smash-and-grab campaigns to evade detection using zero-day exploits for MOVEit and GoAnywhere. Once exploited, Clop ransomware operators exfiltrate data without encryption and threaten to release the data to public forums if the ransom is not paid.

Clop’s last extensive campaign targeted MOVEit, beginning in July 2023 and ending in the fall of 2023. Although slow in the first quarter of 2024, the NJCCIC has received more reports of Clop ransomware impacting New Jersey organizations. Some reports indicate that threat actors are targeting smaller organizations and encrypting some devices compared to prior campaigns that targeted enterprise organizations and exfiltrated data without encryption. In one campaign, the victim inadvertently clicked on a malvertising link in the search engine’s result page. With administrator access, they installed a malicious version of a legitimate application, creating a backdoor to access systems. They also performed surveillance for several weeks and moved laterally before encrypting files.

Recommendations

  • Participate in security awareness training to provide a strong line of defense and identify red flags in potentially malicious communications.
  • Navigate directly to legitimate websites and verify websites before submitting account credentials or providing personal or financial information.
  • Examine search engine results and advertisements before clicking links or downloading software.
  • Obtain software from legitimate developers or companies after analyzing customer reviews.
  • Use strong, unique passwords and enable multi-factor authentication (MFA), choosing authentication apps or hardware tokens over SMS text-based codes.
  • Reduce your digital footprint to reduce the likelihood of becoming a target for malicious actors.
  • Apply the Principle of Least Privilege, segment networks, and implement a defense-in-depth strategy.
  • Keep systems up to date and apply patches after appropriate testing.
  • Conduct vulnerability scanning and ransomware readiness assessments.
  • Establish a comprehensive data backup plan that includes regularly performing scheduled backups, keeping an updated copy offline in a separate and secure location, and testing it regularly.
  • Ransomware mitigation techniques and recommendations are available in the Ransomware: The Current Threat Landscape and the Ransomware: Risk Mitigation Strategies NJCCIC products.