Late last month, Clop ransomware gang operators published proof of successful breaches of multiple large universities across the United States. The threat actors associated with Clop ransomware have been targeting Accellion FTA servers, stealing sensitive data and demanding high ransoms by employing a ‘double-extortion’ tactic to ensure payment. First, the threat actors steal sensitive corporate data from the network, then they deploy ransomware onto the network to encrypt all files, forcing the victims to make a difficult choice. Lastly, Clop ransomware gang operators target top executives and prioritize stealing data from the executives to pressure companies into paying higher ransom requests.
What is Clop?
Clop is Windows-based ransomware that encrypts files using the RC4 encryption algorithm. Clop generates an RC4 key per file, encrypts these RC4 keys using an embedded RSA public key, appends the encrypted access to the file contents, and adds the extension “.CIop” to encrypted filenames. Once Clop ransomware executes on the victim’s environment, it checks for keyboard layout and language characters commonly used in Russia and other Eastern European Countries. Then, it checks for antivirus-related processes; if they are found, the Clop script removes shadow copies, resizes the shadow storage for drives C – H, and disables automatic repair. The malware then iterates through running processes and terminates processes based on a pre-defined key. Finally, the malware moves through all the directories on all drives, calculates a hash, and encrypts any file that does not match a pre-defined, leaving behind a ransom note named “ClopReadMe.txt.”
Who are the Clop ransomware gang operators?
Clop ransomware operators are believed to be Russian or Eastern European due to the check for Cyrillic keyboard layouts. FIN11, a well-established, financially motivated threat group, is known to use Clop ransomware and is believed to have authored the malware.
- FIN11 has been active since at least 2016 and has conducted some of the most extensive and longest-running malware distribution campaigns.
- Many researchers believe FIN11 is closely related to TA505, the infamous Dridex banking Trojan and Locky ransomware creators; this close relationship between FIN11 and TA505 suggests that Clop ransomware operators have been conducting operations since 2014.
- FIN11’s target scope is broad and includes universities and government organizations.
- FIN11 constantly evolves malware and delivery techniques to ensure they can monetize their efforts and will continue to be a significant player in the ransomware business as they mature and identify new targets.
FIN11 Tactics, Techniques and Procedures (TTPs)
FIN11 hackers use a range of new and evolving TTPs, as they have been conducting widespread attacks and campaigns for years now.
- Initial Access: The adversary will use various entry vectors to gain an initial foothold within a network using techniques including targeted spear phishing and exploiting weaknesses on public-facing web servers.
- Phishing – Sending phishing messages to gain access to victim systems
- Exploit Public-Facing Applications – Taking advantage of weaknesses in an Internet-facing computer or program using software, data or commands in order to cause unintended or unanticipated behavior.
- Drive-by Compromise – Gaining access to a system through a user visiting a website over the normal course of browsing.
- Valid Accounts – Obtaining and abusing credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Execution: The adversary tries to run malicious code using techniques that result in adversary-controlled code running on a local or remote system.
- Windows Management Instrumentation (WMI) – Often used to achieve execution, this Windows administration feature provides a uniform environment for local and remote access to Windows system components.
- Command and Scripting Interpreter – Providing ways of interacting with computer systems; a common feature across many different platforms.
- Scheduled Task/Job – Used to facilitate initial or recurring execution of malicious code.
- User Execution – Subjecting users to social engineering to get them to open a file that will lead to code execution.
Persistence: The adversary may try to maintain systems control across restarts, changed credentials and other interruptions.
- Boot or Logon Autostart Execution – Configuring settings on compromised systems to automatically execute a program to maintain persistence or gain privileges.
- Event Triggered Execution – Using system mechanisms that trigger execution based on specific events, like logons, running specific applications and other user activity.
- Scheduled Task/Job – Abusing task scheduling functionality to facilitate initial or recurring execution of malicious code.
- Create/Modify System Process – Creating or modifying system-level processes to repeatedly execute malicious payloads as part of persistence.
- Valid Accounts – Obtaining and abusing credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
- Create Account – Creating an account to maintain access to victim systems and using them to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Focusing on the first three phases of the MITRE ATT&CK Framework allows network defenders to concentrate their resources and defense of these critical areas. Identifying persistence is vital. The ability to kill the attacker’s access is paramount in disrupting an attack in the initial stages. Focused security scrutinizing processes, accounts, users, groups, and network connections provide network defenders indicators and warnings of a breach.
If you have questions about the Clop breach or how to protect yourself and your company against ransomware attacks, or for more information on offensive cybersecurity measures, check out Redpoint Labs and reach out to David Duncan or a member of our team.