The Cl0p ransomware group has gained notoriety through a series of widespread attacks targeting companies and government agencies using zero-day vulnerabilities in the MOVEit Managed File Transfer platform. The impact of these attacks has been significant, with a growing list of affected data, including personal information on millions of workers investing in the CalPERS pension fund, employee data from the BBC and British Airways, sensitive information from the US Department of Energy, and personal details of citizens of Nova Scotia.
According to Steve Povolny, director of security research at Exabeam, these attacks demonstrate the technical capabilities of the Cl0p group. He states that these ransomware gangs are well-funded, well-resourced, and highly organized, conducting carefully planned attacks designed to be stealthy and then make a big impact. This shift in tactics has made it more difficult to identify the adversary behind the attacks.
One indicator that organizations can use to determine if the Cl0p group has exploited the vulnerabilities in the MOVEit platform is the presence of a specific fingerprint. The attackers install a Web shell named LEMURLOOT, using the name “human2.aspx” and send commands through HTTP requests with the header field set to “X-siLock-Comment”. The presence of these indicators suggests that the Cl0p group may have breached the system.
Another indicator of Cl0p ransomware is the use of legitimate code-signing certificates to evade detection by security software. The group often deploys ransomware of the same name during the attack, targeting large organizations and exploiting vulnerabilities in file transfer or management software. The Cl0p ransomware appends various extensions to the victim’s files, such as .clop, .CIIp, .Cllp, and .C_L_O_P. Detecting the ransomware before files are decrypted is crucial.
In addition to these indicators, the Cl0p group uses ancillary tools to extend their compromise or gain initial access. One of these tools is the Truebot downloader, often linked to the Silence group, which leads to a Cl0p infection and the installation of Cobalt Strike and/or the Grace downloader malware. The group also uses a custom tool called Teleport for exfiltration.
The Cl0p group has been known to use a worm known as Raspberry Robin, delivered through USB drives or a third-party pay-per-install service, to gain access to systems. Microsoft has tracked this group under the new name Lace Tempest and advises using Group Policy or registry settings to prevent autorun or code execution from USB drives.
Companies should also be vigilant for signs of large-scale data exfiltration, particularly to infrastructure known to be used by the Cl0p group. Implementing endpoint detection and response solutions on file transfer applications and monitoring outbound network traffic can help identify anomalous activity.
The widespread and sophisticated nature of the Cl0p attacks highlights the need for increased efforts from product vendors to ensure forensically useful logging is available. Additionally, organizations must stay vigilant and proactive in their security measures to protect against ransomware attacks and mitigate any potential damage.