The large-scale incorporation of connected OT/SCADA systems is a growing trend but are you aware of the increasing presence of sophisticated threat actors and rapidly budding ransomware variants? The question you should ask yourself and your peers is “Are my OT/SCADA systems secure against next-generation cyber threats? In this blog, we will be discussing particular instances where CL0P ransomware has been identified in OT/SCADA systems.
OT/SCADA systems control physical devices and processes, such as water treatment plants, power grids, and manufacturing plants. These systems are often susceptible to attacks due to their setup, pre-existing vulnerabilities and often targeted as a result of lax security protecting these systems. While the scale of attacks targeting such systems can be analyzed further in our global threat landscape report 2023, it is imperative to understand the motive of the actors behind such attacks.
With Sectrio’s ongoing research initiatives, CL0P is one such ransomware that has popped up on our radar multiple times. Its usual methods include infiltration via phishing emails, malicious attachments, and exploit kits. The RaaS group operates methodically and begins its process through meticulous research of its victim on its operations, and understanding how they can be exploited.
Recommended Reading: How to get started with OT security
CL0P follows this process with social engineering, and spear phishing techniques where they are looking to penetrate the victim’s network and deploy the ransomware exploits. After the successful deployment of the ransomware, CL0P publishes a portal on the dark web for the victim to first verify 3 files to validate the compromise and requests a ransomware payout. The whole ordeal lasts between 3 – 7 days. The victim suffers from operational halts, reputational damages, loss of IP, and financial losses.
This report is a comprehensive analysis of CL0P ransomware including attack techniques, verticals targeted, countries targeted, and attack scenarios on OT-specific verticals. Stick around and learn more!
Who is CL0P?
CL0P is a notorious ransomware as a service (RaaS) operation that a Russian-speaking group operates.
CL0P was first seen in February 2019 as a new variant in the Cryptomix family. It was delivered as a payload of a phishing campaign associated with the financially motivated actor TA505.
CL0P was able to inject malicious code into the company’s database servers by exploiting a zero-day vulnerability using SQL injection. This allowed the attackers to access and download the data stored in the databases. This ransomware also used a verified and digitally signed binary, making it look like a legitimate executable file that could evade security detection
CL0P Ransomware
The CL0P ransomware is one of the biggest malware threats in cyberspace today. The attackers once demanded an amount of more than 20+ Million Dollars to restore services from their victim.
Targeting SCADA systems with CL0P ransomware presents a grave risk to vital infrastructure, carrying the potential for operational breakdowns, substantial financial damages, and even endangering human safety. Exploiting vulnerabilities within SCADA systems, malicious actors can illicitly infiltrate and encrypt crucial control files, resulting in the cessation of industrial operations or even the discharge of dangerous materials.
In June 2023, the CL0P ransomware group exploited a zero-day vulnerability in the MOVEit Transfer tool. This vulnerability was announced on May 31, 2023, by the Progress Software Corporation.
Earlier this year, CL0P had used a similar vulnerability to attack the GoAnywhere file transfer product of Fortra, stealing data from more than 130 companies, governments, and organizations. The CL0P attack on MOVEit Transfer is believed to have affected hundreds of organizations worldwide.
CL0P Darkweb page
On the Dark web page, they upload notes, news, and data published information and steps to contact them.
Steps for Companies Attacked by CL0P Ransomware Gang
CL0P Gangs uploads published data and victim organization names on their dark web page.
Companies name attacked by CL0P Ransomware Gang
CL0P Email IDs for communication
The ransomware has been known to use Email ID: UNLOCK@RSV-BOX.COM, This was however changed to Email ID: UNLOCK@SUP-BOX.COM. We believe that this change was triggered as a result of technical challenges.
Timelines of CL0P Ransomware and MOVEit
The CL0P ransomware gang was relatively inactive from November 2022 to February 2023 than in March and April of 2023 as accurately predicted in Sectrio’s Global Threat Landscape Analysis and Assessment Report and stated by the NCC report stated that CL0P went from one of the least active threat groups in March to the fourth most active in April. This significant increase in CL0P ransomware activity is a cause for concern, as it suggests that the gang is becoming more active and successful in its attacks.
Businesses and organizations should be aware of the CL0P threat and take steps to protect themselves from ransomware attacks.
- The CL0P ransomware was first noticed in February 2019 with wide-scale spear phishing. In January 2020, Fin11 deployed CL0P ransomware on the FTA (File Transfer Application) of Kiteworks, and after this, they gained access to a pharmaceutical company and leaked their data in April 2020.
- In November 2021, CL0P ransomware exploited the SolarWinds vulnerability, breaching several organizations. Security Researchers discovered that the MOVEit transfer servers were compromised and had crucial information into 2022.
- In 2023, CL0P began exploiting the MOVEit zero-day vulnerability. Although breaching multiple organizations, the group did not immediately extort victims. The CL0P ransomware gang compromised several companies. In May, the MOVEit vulnerability was published by Progress Software Corporation, and in the same year, a vulnerability was assigned, and CISA released a joint Cybersecurity Advisory detailing CL0P’s exploitation of the MOVEit vulnerability. – MOVEit told Cybernews that the bug was patched within 48 hours, adding that it “has implemented a series of third-party validations to ensure the patch has corrected the exploit.”
Affected Countries by CL0P Ransomware
Tools, Malwares, and Vulnerabilities Used by CL0P Ransomware
Malware |
FlawedAmmyy |
SDBOT |
Get2 Loader |
Tools |
Cobalt Strike |
TinyMet |
List of vulnerabilities exploited by CL0P ransomware
The exploits built are prepared using the vulnerabilities below:
CVE ID | Vulnerability Type | CVSS Score and Severity |
CVE-2023-34362 | SQL injection vulnerability | 9.8 Critical |
CVE-2023-35036 | SQL injection vulnerability | 9.1 Critical |
CVE-2023-0669 | Pre-authentication command injection | 7.2 High |
CVE-2021-27101 | SQL injection vulnerability | 9.8 Critical |
CVE-2021-27102 | OS command execution. | 7.8 High |
CVE-2021-27103 | SSRF via a crafted POST request | 9.8 Critical |
CVE-2021-27104 | OS command execution | 9.8 Critical |
CVE-2021-35211 | Remote code execution (RCE) vulnerability | 10.0 Critical |
Analysis of CL0P Ransomware
TA505 is a threat actor that uses phishing emails to deliver malware to its victims. The malware typically arrives as a macro-enabled document that, when opened, drops a loader named Get2. Get2 can then download other tools used by TA505, such as SDBot, FlawedAmmyy, or FlawedGrace.
Once TA505 has gained a foothold on the victim’s system, it will perform reconnaissance, lateral movement, and exfiltration. This will allow them to gather information about the victim’s network and systems and to move laterally to other systems within the network. The final step is to deploy ransomware, encrypting the victim’s files and demand a ransom payment.
Sometimes, SDBot has been observed delivering CL0P as the final payload. CL0P is a ransomware known for its aggressive encryption and high ransom demands.
How CL0P ransomware could disrupt the OT networks
The CL0P ransomware gang could potentially target OT/ICS systems through methods such as phishing and social engineering, exploiting vulnerabilities in software or hardware, supply chain attacks via compromised suppliers, exploiting weaknesses in Remote Desktop Protocol, watering hole attacks on frequented websites, recruiting insiders for valuable information, exploiting weak network segmentation between IT and OT environments, and taking advantage of misconfigurations in the OT/ICS network.
Defending against these attacks requires robust cybersecurity measures including patch management, network segmentation, employee training, multi-factor authentication, secure remote access, intrusion detection, and regular backups of critical systems.
CL0P ransomware group has used tools such as FlawedAmmyRAT, Cobalt strike, TinyMet, Get2Loader, SDBOT, etc. The CL0P ransomware gang has already bagged a name for itself by attacking 4 organizations hosting several OT systems. The gang has likely gained enough experience to target more organizations hosting. t. They are currently able to perform the attack and disrupt the OT operations with their current posture.
Attack path analysis of CL0P ransomware
The first attack path used by T505
The CL0P ransomware that TA505 first distributed evaded detection using a digitally signed and verified binary to make it seem like a legitimate executable file. The group launched many spear-phishing emails sent to an organization’s employees to trigger the infection process.
Updated attack path of T505
In January 2020, TA505 changed the infection flow by using SDBOT alone to collect and exfiltrate data to the command-and-control (C&C;) server.
Compromise attack path of FIN11
infection chain of FIN11’s exploit of the multiple zero-day vulnerabilities in Kiteworks’ FTA so that it could install a newly discovered web shell, DEWMODE. FIN11 then used this same web shell to exfiltrate data from the FTA and deliver the CL0P ransomware as a payload.
CL0P ransomware note
The CL0P ransomware gang adds the ransom note after the successful encryption and exploitation.
TTPs (Tactics, Techniques, and Procedures) of CL0P Ransomware
The CL0P ransomware gang is known for using a variety of tactics, techniques, and procedures (TTPs) to infect victims. These TTPs may include:
Tactic ID | Tactic Name | Technique ID | Techniques Name | CL0P Uses |
TA0001 | Initial Access | T1566.001 | Phishing: Spear-phishing attachment | CL0P actors send a large volume of spear-phishing emails to employees of an organization to gain initial access |
T1190 | Exploit public-facing application | CL0P ransomware group exploited the zero-day vulnerability CVE-2023-34362 affecting MOVEit Transfer software; it begins with a SQL injection to infiltrate the MOVEit Transfer web application. | ||
T1078 | Valid accounts | Gain unauthorized access to victims systems using RDP |
Tactic ID | Tactic Name | Technique ID | Techniques Name | CL0P Uses |
TA0002 | Execution | T1106 | Native API | Event-Triggered execution: Application Shimming |
T1059.001 | Command and scripting interpreter PowerShell | CL0P actors use SDBot as a backdoor to enable other commands and functions to be executed in the compromised computer | ||
T1059.002 | Command and scripting interpreter | CL0P actors use TinyMet, a small open-source Meterpreter stager, to establish a reverse shell to their C2 server | ||
T1129 | Shared Modules | CL0P actors use Truebot to download additional modules. | ||
T1204 | User execution | User execution is needed to carry out the payload from the spear-phishing link/attachments | ||
TA0003 | Persistence | T1547 | Boot or logon autostart execution | CL0P creates registry run entries to execute the ransomware as a service |
T1543.003 | Create or modify system process: Windows service. | CL0P creates a service to execute the ransomware | ||
T1505.003 | Server Software Component: Web Shel | DEWMODE is a web shell designed to interact with a MySQL database and is used to exfiltrate data from the compromised network. | ||
T1546.011 | Event Triggered execution: Application Shimming | CL0P actors use SDBot malware for application shimming for persistence and to avoid detection. | ||
TA0004 | Privilege Escalation | T1484.001 | Domain Policy modification: Group Policy modification | CL0P uses stolen credentials to access the AD servers to gain administrator privilege and attack other machines within the network |
Tactic ID | Tactic Name | Technique ID | Techniques Name | CL0P Uses |
TA0005 | Defense Evasion | T1068 | Exploitation for privilege escalation | CL0P actors gained access to MOVEit Transfer databases before escalating privileges within the compromised network. |
T1036.001 | Masquerading: invalid code signature | CL0P injects dll payloads into legitimate processes. | ||
T1562.001 | Impair defenses: disable or modify tools | Disables security-related software by terminating them | ||
T1140 | Deobfuscate/Decode files or information | The tool used for exfiltration has a part of its malware trace removal, and it drops a base-64 encoded file. | ||
T1070.004 | Indicator removal on host: file deletion | CL0P Deletes traces of itself in the infected machine | ||
T1055.001 | Process injection: DLL injection | CL0P runs the startup script before the system gets to the login screen via startup registry. | ||
T1574.002 | Hijack execution flow | CL0P actors use Truebot to side-load DLLs | ||
T1202 | Indirect command execution | CL0P searches for specific files and the directory related to their encryption | ||
T1070.001 | Indicator removal on host: clear Windows Event logs | CL0P clears the Event Viewer log files | ||
TA0007 | Discovery | T1083 | File and directory discovery | CL0P searches for specific files and the directory related to its encryption |
T1018 | Remote system discovery | CL0P actors use Cobalt Strike to expand network access after gaining access to the AD servers. | ||
T1057 | Process discovery | CL0P Discovers certain processes for process termination | ||
T1082 | System information discovery | CL0P identifies keyboard layout and other system information | ||
T1012 | Query registry | CL0P queries certain registries as part of its routine | ||
T1063 | Security software discovery | CL0P discovers security software for reconnaissance and termination |
Tactic ID | Tactic Name | Technique ID | Techniques Name | CL0P Uses |
TA0008 | Lateral Movement | T1570 | Lateral tool transfer | CL0P can make use of RDP to transfer the ransomware or tools within the network |
T1021.002 | Remote services: SMB/Windows admin shares | CL0P actors have been observed attempting to compromise the AD server using Server Message Block (SMB) vulnerabilities with follow-on Cobalt Strike activity. | ||
T1563.002 | Remote Service Session Hijacking: RDP Hijacking | CL0P ransomware actors have been observed using Remote Desktop Protocol (RDP) to interact with compromised systems after initial access. | ||
TA0009 | Collection | T1005 | Data from a local system | CL0P might make use of RDP to manually search for valuable files or information |
T1113 | Screencaptures | CL0P actors use Truebot to take screenshots to collect sensitive data. | ||
TA0011 | Command and Control | T1071 | Application Layer Protocol | CL0P actors use FlawedAmmyy remote access trojan (RAT) to communicate with the Command and Control (C2). |
T1105 | Ingress Tool Transfer | CL0P actors are assessed to use FlawedAmmyy remote access trojan (RAT) to download additional malware components. CL0P actors use SDBot to drop copies of itself in removable drives and network shares. |
Tactic ID | Tactic Name | Technique ID | Techniques Name | CL0P Uses |
TA0010 | Exfiltration | T1041 | Exfiltration Over C2 Channel | CL0P abuse the network shares to encrypt and spread files across connected system. |
T1567 | Exfiltration over Web service | DEWMODE web shell extracts list of available files from a MySQL database on the FTA and lists these files and corresponding their metadata. These will then be downloaded using the DEWMODE web shell. | ||
TA0040 | Impact | T1486 | Data encrypted for impact | CL0P uses a combination of Salsa20, AES, and ECDH to encrypt the files and key |
T1490 | Inhibit system recovery | CL0P deletes the shadow copies |
YARA Rules for CL0P Ransomware Detection
- SS_Gen_MOVEitTransferExploit_Webshell_ASPX_202308160701_A
- SS_Gen_MOVEitTransferExploit_Webshell_DLL_202308160702_B
OT and IT Organizations Affected by CL0P Ransomware
The CL0P ransomware gang has been active in recent months, targeting organizations in various sectors. Victims of CL0P attacks have included water utilities, oil and gas companies, OEMs, and consulting firms.
From the look of the attack pattern, this ransomware gang is going after mainstream companies including Big-4s consulting companies. This fuels them to get more clout and get hyper-motivated to attack companies popular in their respective sectors.
Recommendations by Sectrio and CISA
- Sectrio recommends deploying intrusion detection and prevention systems (IDS/IPS) to detect and block malicious traffic.
- Implementing network segmentation to isolate SCADA systems from other networks.
- If RDP service is used on OT networks, disable or close it.
- Stay steps ahead of CL0P using our advanced Sectrio IDS/IPS, harnessing AI and behavioral analysis to proactively detect and deflect their targeted attacks. Take an inventory of assets and data, identifying authorized and unauthorized devices and software.
- Grant admin privileges and access only when necessary, establishing a software allow list that only executes legitimate applications.
- Monitor network ports, protocols, and services, activating security configurations on network infrastructure devices such as firewalls and routers.
- Regularly patch and update software and applications to their latest versions and conduct regular vulnerability assessments.
- Disable command line and scripting.
- Restrict the use of PowerShell.
For more information contact Sectrio’s IoT and OT cybersecurity experts here: Contact us
Download Sectrio’s global threat landscape report 2023 now: Download IoT and OT threat report 2023
This blog has been atributed to Yash Mehta from the Sectrio’s global threat research team.