Deconstructing the CL0P RaaS group and understanding the MOVEit breach in 2023

By |

The large-scale incorporation of connected OT/SCADA systems is a growing trend but are you aware of the increasing presence of sophisticated threat actors and rapidly budding ransomware variants? The question you should ask yourself and your peers is “Are my OT/SCADA systems secure against next-generation cyber threats? In this blog, we will be discussing particular instances where CL0P ransomware has been identified in OT/SCADA systems.

Deconstructing the cl0p raas group and understanding the moveit breach in 2023 - sectrio
Deconstructing the CL0P RaaS group and understanding the MOVEit breach in 2023 - Sectrio

OT/SCADA systems control physical devices and processes, such as water treatment plants, power grids, and manufacturing plants. These systems are often susceptible to attacks due to their setup, pre-existing vulnerabilities and often targeted as a result of lax security protecting these systems. While the scale of attacks targeting such systems can be analyzed further in our global threat landscape report 2023, it is imperative to understand the motive of the actors behind such attacks.

With Sectrio’s ongoing research initiatives, CL0P is one such ransomware that has popped up on our radar multiple times. Its usual methods include infiltration via phishing emails, malicious attachments, and exploit kits. The RaaS group operates methodically and begins its process through meticulous research of its victim on its operations, and understanding how they can be exploited.

Recommended Reading: How to get started with OT security

CL0P follows this process with social engineering, and spear phishing techniques where they are looking to penetrate the victim’s network and deploy the ransomware exploits. After the successful deployment of the ransomware, CL0P publishes a portal on the dark web for the victim to first verify 3 files to validate the compromise and requests a ransomware payout. The whole ordeal lasts between 3 – 7 days. The victim suffers from operational halts, reputational damages, loss of IP, and financial losses.

This report is a comprehensive analysis of CL0P ransomware including attack techniques, verticals targeted, countries targeted, and attack scenarios on OT-specific verticals. Stick around and learn more!

Who is CL0P?

CL0P is a notorious ransomware as a service (RaaS) operation that a Russian-speaking group operates.

CL0P was first seen in February 2019 as a new variant in the Cryptomix family. It was delivered as a payload of a phishing campaign associated with the financially motivated actor TA505.

CL0P was able to inject malicious code into the company’s database servers by exploiting a zero-day vulnerability using SQL injection. This allowed the attackers to access and download the data stored in the databases. This ransomware also used a verified and digitally signed binary, making it look like a legitimate executable file that could evade security detection

CLOP Dark Web Home Page

CL0P Ransomware

The CL0P ransomware is one of the biggest malware threats in cyberspace today. The attackers once demanded an amount of more than 20+ Million Dollars to restore services from their victim.

Targeting SCADA systems with CL0P ransomware presents a grave risk to vital infrastructure, carrying the potential for operational breakdowns, substantial financial damages, and even endangering human safety. Exploiting vulnerabilities within SCADA systems, malicious actors can illicitly infiltrate and encrypt crucial control files, resulting in the cessation of industrial operations or even the discharge of dangerous materials.

In June 2023, the CL0P ransomware group exploited a zero-day vulnerability in the MOVEit Transfer tool. This vulnerability was announced on May 31, 2023, by the Progress Software Corporation.

Earlier this year, CL0P had used a similar vulnerability to attack the GoAnywhere file transfer product of Fortra, stealing data from more than 130 companies, governments, and organizations. The CL0P attack on MOVEit Transfer is believed to have affected hundreds of organizations worldwide.

CL0P Darkweb page

On the Dark web page, they upload notes, news, and data published information and steps to contact them.

2 about cl0p ransomware gang 1 - sectrio
About CL0P Ransomware Gang

Steps for Companies Attacked by CL0P Ransomware Gang

Steps for companies attacked by CL0P Ransomware Gang

CL0P Gangs uploads published data and victim organization names on their dark web page.

Companies name attacked by CL0P Ransomware Gang

Companies name attacked by CL0P Ransomware Gang

CL0P Email IDs for communication

The ransomware has been known to use Email ID: UNLOCK@RSV-BOX.COM, This was however changed to Email ID: UNLOCK@SUP-BOX.COM. We believe that this change was triggered as a result of technical challenges.

Timelines of CL0P Ransomware and MOVEit

The CL0P ransomware gang was relatively inactive from November 2022 to February 2023 than in March and April of 2023 as accurately predicted in Sectrio’s Global Threat Landscape Analysis and Assessment Report and stated by the NCC report stated that CL0P went from one of the least active threat groups in March to the fourth most active in April. This significant increase in CL0P ransomware activity is a cause for concern, as it suggests that the gang is becoming more active and successful in its attacks.

Businesses and organizations should be aware of the CL0P threat and take steps to protect themselves from ransomware attacks.

  1. The CL0P ransomware was first noticed in February 2019 with wide-scale spear phishing. In January 2020, Fin11 deployed CL0P ransomware on the FTA (File Transfer Application) of Kiteworks, and after this, they gained access to a pharmaceutical company and leaked their data in April 2020.
  2. In November 2021, CL0P ransomware exploited the SolarWinds vulnerability, breaching several organizations. Security Researchers discovered that the MOVEit transfer servers were compromised and had crucial information into 2022.
  3. In 2023, CL0P began exploiting the MOVEit zero-day vulnerability. Although breaching multiple organizations, the group did not immediately extort victims. The CL0P ransomware gang compromised several companies. In May, the MOVEit vulnerability was published by Progress Software Corporation, and in the same year, a vulnerability was assigned, and CISA released a joint Cybersecurity Advisory detailing CL0P’s exploitation of the MOVEit vulnerability. – MOVEit told Cybernews that the bug was patched within 48 hours, adding that it “has implemented a series of third-party validations to ensure the patch has corrected the exploit.”

Affected Countries by CL0P Ransomware

CL0P Targeted Countries

Tools, Malwares, and Vulnerabilities Used by CL0P Ransomware

Get2 Loader
Malwares used by CL0P
Cobalt Strike
Tools used by CL0P

List of vulnerabilities exploited by CL0P ransomware

The exploits built are prepared using the vulnerabilities below:

CVE IDVulnerability TypeCVSS Score and Severity
CVE-2023-34362SQL injection vulnerability9.8 Critical
CVE-2023-35036SQL injection vulnerability9.1 Critical
CVE-2023-0669Pre-authentication command injection7.2 High
CVE-2021-27101SQL injection vulnerability9.8 Critical
CVE-2021-27102OS command execution.7.8 High
CVE-2021-27103SSRF via a crafted POST request9.8 Critical
CVE-2021-27104OS command execution9.8 Critical
CVE-2021-35211Remote code execution (RCE) vulnerability10.0 Critical
vulnerabilities exploited by CL0P ransomware

Analysis of CL0P Ransomware

TA505 is a threat actor that uses phishing emails to deliver malware to its victims. The malware typically arrives as a macro-enabled document that, when opened, drops a loader named Get2. Get2 can then download other tools used by TA505, such as SDBot, FlawedAmmyy, or FlawedGrace.

Once TA505 has gained a foothold on the victim’s system, it will perform reconnaissance, lateral movement, and exfiltration. This will allow them to gather information about the victim’s network and systems and to move laterally to other systems within the network. The final step is to deploy ransomware, encrypting the victim’s files and demand a ransom payment.

Sometimes, SDBot has been observed delivering CL0P as the final payload. CL0P is a ransomware known for its aggressive encryption and high ransom demands.

CL0P Ransomware Attack Tree

How CL0P ransomware could disrupt the OT networks

The CL0P ransomware gang could potentially target OT/ICS systems through methods such as phishing and social engineering, exploiting vulnerabilities in software or hardware, supply chain attacks via compromised suppliers, exploiting weaknesses in Remote Desktop Protocol, watering hole attacks on frequented websites, recruiting insiders for valuable information, exploiting weak network segmentation between IT and OT environments, and taking advantage of misconfigurations in the OT/ICS network.

Defending against these attacks requires robust cybersecurity measures including patch management, network segmentation, employee training, multi-factor authentication, secure remote access, intrusion detection, and regular backups of critical systems.

CL0P ransomware group has used tools such as FlawedAmmyRAT, Cobalt strike, TinyMet, Get2Loader, SDBOT, etc. The CL0P ransomware gang has already bagged a name for itself by attacking 4 organizations hosting several OT systems. The gang has likely gained enough experience to target more organizations hosting. t. They are currently able to perform the attack and disrupt the OT operations with their current posture.

Attack path analysis of CL0P ransomware

The first attack path used by T505

The CL0P ransomware that TA505 first distributed evaded detection using a digitally signed and verified binary to make it seem like a legitimate executable file. The group launched many spear-phishing emails sent to an organization’s employees to trigger the infection process.

Attack path of T505 for CL0P ransomware

Updated attack path of T505

In January 2020, TA505 changed the infection flow by using SDBOT alone to collect and exfiltrate data to the command-and-control (C&C;) server.

Updated Attack path of T505 for CL0P ransomware

Compromise attack path of FIN11

infection chain of FIN11’s exploit of the multiple zero-day vulnerabilities in Kiteworks’ FTA so that it could install a newly discovered web shell, DEWMODE. FIN11 then used this same web shell to exfiltrate data from the FTA and deliver the CL0P ransomware as a payload.

Compromise attack path of FIN11

CL0P ransomware note

The CL0P ransomware gang adds the ransom note after the successful encryption and exploitation.  

Ransom Note by CL0P ransomware gang

TTPs (Tactics, Techniques, and Procedures) of CL0P Ransomware

The CL0P ransomware gang is known for using a variety of tactics, techniques, and procedures (TTPs) to infect victims. These TTPs may include:

Tactic IDTactic NameTechnique IDTechniques NameCL0P Uses
TA0001Initial AccessT1566.001 Phishing: Spear-phishing attachmentCL0P actors send a large volume of spear-phishing emails to employees of an organization to gain initial access
T1190Exploit public-facing applicationCL0P ransomware group exploited the zero-day vulnerability CVE-2023-34362 affecting MOVEit Transfer software; it begins with a SQL injection to infiltrate the MOVEit Transfer web application.
T1078Valid accountsGain unauthorized access to victims systems using RDP
TTPs of CL0P Ransomware 1
Tactic IDTactic NameTechnique IDTechniques NameCL0P Uses
TA0002ExecutionT1106Native APIEvent-Triggered execution: Application Shimming
T1059.001Command and scripting interpreter PowerShellCL0P actors use SDBot as a backdoor to enable other commands and functions to be executed in the compromised computer
T1059.002Command and scripting interpreterCL0P actors use TinyMet, a small open-source Meterpreter stager, to establish a reverse shell to their C2 server
T1129Shared ModulesCL0P actors use Truebot to download additional modules.
T1204User executionUser execution is needed to carry out the payload from the spear-phishing link/attachments
TA0003PersistenceT1547Boot or logon autostart executionCL0P creates registry run entries to execute the ransomware as a service
T1543.003Create or modify system process: Windows service.CL0P creates a service to execute the ransomware
T1505.003Server Software Component: Web ShelDEWMODE is a web shell designed to interact with a MySQL database and is used to exfiltrate data from the compromised network.
T1546.011Event Triggered execution: Application ShimmingCL0P actors use SDBot malware for application shimming for persistence and to avoid detection.
TA0004 Privilege EscalationT1484.001Domain Policy modification: Group Policy modificationCL0P uses stolen credentials to access the AD servers to gain administrator privilege and attack other machines within the network
TTPs of CL0P Ransomware 2
Tactic IDTactic NameTechnique IDTechniques NameCL0P Uses
TA0005 Defense EvasionT1068Exploitation for privilege escalationCL0P actors gained access to MOVEit Transfer databases before escalating privileges within the compromised network.
T1036.001Masquerading: invalid code signatureCL0P injects dll payloads into legitimate processes.
T1562.001Impair defenses: disable or modify toolsDisables security-related software by terminating them
T1140Deobfuscate/Decode files or informationThe tool used for exfiltration has a part of its malware trace removal, and it drops a base-64 encoded file.
T1070.004Indicator removal on host: file deletionCL0P Deletes traces of itself in the infected machine
T1055.001Process injection: DLL injectionCL0P runs the startup script before the system gets to the login screen via startup registry.
T1574.002Hijack execution flowCL0P actors use Truebot to side-load DLLs
T1202Indirect command executionCL0P searches for specific files and the directory related to their encryption 
T1070.001Indicator removal on host: clear Windows Event logsCL0P clears the Event Viewer log files
TA0007DiscoveryT1083File and directory discoveryCL0P searches for specific files and the directory related to its encryption 
T1018Remote system discoveryCL0P actors use Cobalt Strike to expand network access after gaining access to the AD servers.
T1057Process discoveryCL0P Discovers certain processes for process termination
T1082 System information discoveryCL0P identifies keyboard layout and other system information
T1012Query registryCL0P queries certain registries as part of its routine
T1063Security software discoveryCL0P discovers security software for reconnaissance and termination
TTPs of CL0P Ransomware 3
Tactic IDTactic NameTechnique IDTechniques NameCL0P Uses
TA0008Lateral MovementT1570Lateral tool transferCL0P can make use of RDP to transfer the ransomware or tools within the network
T1021.002Remote services: SMB/Windows admin sharesCL0P actors have been observed attempting to compromise the AD server using Server Message Block (SMB) vulnerabilities with follow-on Cobalt Strike activity.
T1563.002Remote Service Session Hijacking: RDP HijackingCL0P ransomware actors have been observed using Remote Desktop Protocol (RDP) to interact with compromised systems after initial access.
TA0009CollectionT1005Data from a local systemCL0P might make use of RDP to manually search for valuable files or information
T1113ScreencapturesCL0P actors use Truebot to take screenshots to collect sensitive data.
TA0011Command and ControlT1071 Application Layer ProtocolCL0P actors use FlawedAmmyy remote access trojan (RAT) to communicate with the Command and Control (C2).
T1105Ingress Tool TransferCL0P actors are assessed to use FlawedAmmyy remote access trojan (RAT) to download additional malware components. CL0P actors use SDBot to drop copies of itself in removable drives and network shares.
TTPs of CL0P Ransomware 4
Tactic IDTactic NameTechnique IDTechniques NameCL0P Uses
TA0010ExfiltrationT1041Exfiltration Over C2 ChannelCL0P abuse the network shares to encrypt and spread files across connected system.
T1567Exfiltration over Web serviceDEWMODE web shell extracts list of available files from a MySQL database on the FTA and lists these files and corresponding their metadata. These will then be downloaded using the DEWMODE web shell.
TA0040ImpactT1486 Data encrypted for impactCL0P uses a combination of Salsa20, AES, and ECDH to encrypt the files and key
T1490Inhibit system recoveryCL0P deletes the shadow copies
TTPs of CL0P Ransomware 4

YARA Rules for CL0P Ransomware Detection

  1. SS_Gen_MOVEitTransferExploit_Webshell_ASPX_202308160701_A
  2. SS_Gen_MOVEitTransferExploit_Webshell_DLL_202308160702_B

OT and IT Organizations Affected by CL0P Ransomware

The CL0P ransomware gang has been active in recent months, targeting organizations in various sectors. Victims of CL0P attacks have included water utilities, oil and gas companies, OEMs, and consulting firms.

From the look of the attack pattern, this ransomware gang is going after mainstream companies including Big-4s consulting companies. This fuels them to get more clout and get hyper-motivated to attack companies popular in their respective sectors.

OT and IT Sectors affected by CL0P ransomware gang

Recommendations by Sectrio and CISA

  • Sectrio recommends deploying intrusion detection and prevention systems (IDS/IPS) to detect and block malicious traffic.
  • Implementing network segmentation to isolate SCADA systems from other networks.
  • If RDP service is used on OT networks, disable or close it.
  • Stay steps ahead of CL0P using our advanced Sectrio IDS/IPS, harnessing AI and behavioral analysis to proactively detect and deflect their targeted attacks. Take an inventory of assets and data, identifying authorized and unauthorized devices and software.
  • Grant admin privileges and access only when necessary, establishing a software allow list that only executes legitimate applications.
  • Monitor network ports, protocols, and services, activating security configurations on network infrastructure devices such as firewalls and routers.
  • Regularly patch and update software and applications to their latest versions and conduct regular vulnerability assessments.
  • Disable command line and scripting.
  • Restrict the use of PowerShell.

For more information contact Sectrio’s IoT and OT cybersecurity experts here: Contact us

Download Sectrio’s global threat landscape report 2023 now: Download IoT and OT threat report 2023

The 2023 global threat landscape assessment report | sectrio
Deconstructing the CL0P RaaS group and understanding the MOVEit breach in 2023 - Sectrio

This blog has been atributed to Yash Mehta from the Sectrio’s global threat research team.

Sectrio is a technology market leader in the Internet of Things (IoT), Operational Technology (OT), Information Technology (IT) and 5G Security products for securing the most critical assets, data, networks, supply chains and device architectures for diverse deployments across geographies. Sectrio solutions minimize the attack surface and eliminate all risks from hackers, malware, cyber espionage, and other threats by securing the entire digital footprint covering services, applications, and surfaces through a single platform powered by real-time threat intelligence sourced from Sectrio’s largest honeypot network active in 75+ cities around the world.

Subscribe to Newsletter

Related Posts

Protect your IoT, OT and converged assets with Sectrio

Major US Government Agencies Hit in Cyberattack by Clop Ransomware Gang Hackers Shut Down 2 of World’s Most Advanced Telescopes