CL0P/CLOP Ransomware

As one of the oldest ransomware groups clop has not changed much over the years. Their websites for both communications and leaking non-paying victim information have seen minior updates with the most significant one when migrated to accomodate the latest TOR versions. The group provides both an email and web chat URL that is unique to every victim organization but they appear to direct any communications to the web chat.

Clop ransomware demands are typically very high, however CYPFER has had good success in bringing down initial demands to much lower final settlements. The Clop group appears to favor relatively new exploits and are know as the group that conducted numerous Accellion exploit attacks. CYPFER did not see any indications that the group is affiliate based, and appears to use the same communications protocols and profile across cases.The group is believed to be Ukrainian or East-European with a number of communication statements typed in Russian were observed.

If communications are too slow, CLOP has been observed to call employees, clients and send spam emails to such contacts reminding them of the incident.

SUMMARY:

• CLOP operators are not limiting themselves to specific attack types, but have been seen exploiting both external Internet facing assets using some of the latest exploits such as Accelion, Log4j but also using brute force of remote access capabilties. Some attacks were identified using phishing techniques to establish initial foothold.
• COMMUNICATION PROTOCOLS: CLOP communications take place primarily over the group’s web-chat that is accessible through TOR. Each victim organization is provided with a unique URL containing a key and keywords. Communications is sometimes extremely rapid, and very threatening. CLOP at times appear to be more interested in publishing stolen data then engage in long drawn discussions.
• INITIAL DEMANDS: CLOP demands on average begin around $3,000,000. This number may vary between each matter as the demands are typically based on what the threat actors believe the company can afford to pay.
• FINAL DEMANDS: CLOP group has control of the final amount. Discounts vary from 30-50% but depend on the communication flow. CLOP can be unpredictable if they feel negotiations are not moving at the expected pace.
• DURATION: Negotiation durations with CLOP are relatively VERY FAST and can run from 1 days to 8 days.

DECRYPTION: CLOP decryptor is 98% effective in decrypting files. Speed of decryption is dependant upon a number of factors including hardware capabilities and size of encrypted files but is relatively FAST.

RECOVERY and REMEDIATION: CYPFER’s post breach recovery teams have worked a number of CLOP matters, and recovery of an environment while it depends on impact, hardware capacity and available resources will typically take 10-30 business days as CLOP may attack very small organization and enterprise organizations.