When we narrow it down to the field of ransomware, we cannot say that this amount of zero-day exploitations is something normal. Ransomware groups do not necessarily need to rely on zero-day-based exploitations, as such type of threat actors are mostly financially motivated and thus must ‘think’ more like business owners. To make a profit, they need to lower their expenses to be less than the expected (financial) gains from ransomware extortions. Developing (or purchasing) impactful zero-day exploits is extremely expensive (or requires teams of experts). So, ransomware threat actors will probably rely on different methods to gain initial access, such as phishing and credential stealing.
However, one ransomware group caught our attention in this regard. They are a Russian-speaking cyber gang that has gained attention for their large-scale extortion campaigns. The CL0P ransomware group operates as a Ransomware-as-a-Service (RaaS). It has evolved to engage in initial access brokering, selling access to compromised networks, and operating a large botnet targeting the financial sector. They have been active since at least February 2019 and continue to add new victims to their list every week.
A brief history of CL0P Ransomware Group
CL0P, the ransomware strain, initially emerged in 2019 and evolved from the CryptoMix variant. It operates as a Ransomware as a Service (RaaS) and was notably used in large-scale spear-phishing campaigns, employing verified and digitally signed binaries to bypass security systems. CL0P gained notoriety for employing ‘double extortion’ tactics, stealing and encrypting victim data, and threatening to publish it on the CL0P^_-LEAKS Tor website.
In 2021, CL0P exploited 4 zero-day vulnerabilities in Accellion file transfer software to launch ransomware attacks.
The threat actor behind CL0P (we will call them here CL0P Ransomware Group, but there are different codenames given to them) is a major player in criminal malware distribution. This group has compromised over 3,000 U.S. organizations and 8,000 global entities. The group engages in various activities, including RaaS operations, initial access brokering, and large-scale botnet operations for financial fraud and phishing attacks.
The group’s tactics have involved leveraging zero-day exploits to infiltrate systems. In late January 2023, the CL0P ransomware group launched a campaign using a zero-day vulnerability, now cataloged as CVE-2023-0669, to target the GoAnywhere MFT platform. The group claimed to have exfiltrated data from the GoAnywhere MFT platform that impacted approximately 130 victims over 10 days. Although lateral movement within victim networks was not detected, data exfiltration occurred. The group subsequently sent ransom notes to executives of affected companies, threatening to publish stolen files on the CL0P data leak site if ransoms were not paid.
TTP and Infrastructure Analysis of CL0P Ransomware Group
Like many ransomware groups, CL0P Group relies a lot on information-stealing malware. We will list a few we found ourselves and from third-party reporting.
Cobalt Strike is utilized to expand network access after infiltrating the Active Directory (AD) server [T1018].
FlawedAmmyy/FlawedGrace is a remote access trojan (RAT) that gathers information and seeks to communicate with the Command and Control (C2) server to facilitate the download of additional malware components [T1071], [T1105].
Truebot, associated with the Silence hacking group, is a first-stage downloader module capable of collecting system information and capturing screenshots [T1113]. Once connected to the C2 infrastructure, Truebot can be directed to load shell code [T1055] or DLLs [T1574.002], download additional modules [T1129], execute them, or remove itself [T1070]. In TA505’s case, Truebot has been used to fetch FlawedGrace or Cobalt Strike beacons.
SDBot RAT spreads the infection by exploiting vulnerabilities and depositing copies of itself in removable drives and network shares [T1105]. It can also propagate through peer-to-peer (P2P) networks. SDBot functions as a backdoor [T1059.001] to execute various commands and operations on the compromised computer. It employs application shimming for persistence and evasion of detection [T1546.011].
DEWMODE, written in PHP, acts as a web shell for Accellion FTA devices. It interacts with the underlying MySQL database, allowing data theft from the compromised device [T1505.003].
LEMURLOOT, coded in C#, is a web shell targeting the MOVEit Transfer platform. It authenticates incoming HTTP requests via a hardcoded password. It can execute commands for file downloads from MOVEit Transfer, extract Azure system settings, retrieve detailed record information, and perform user-related actions. When responding to requests, the web shell returns data in a compressed gzip format.
However, we most recently recall them for exploiting the vulnerability in MOVEit File Transfer product, which (as we already mentioned) infected 130 victims in just 10 days of their campaign spree.
The story of CL0P and zero-days
We mentioned that it is very atypical of ransomware groups to use zero-day exploits, but CL0P tends to be fond of them. How is that possible, though? Developing zero-day exploits requires very skilled talent, usually a team of them.
According to an interview between Dustin Child from Trend Micro’s Zero Day Initiative and The Record (from Recorded Future), there is a high likelihood that they bought the exploit for MOVEit vulnerability.
And the fact is, that, indeed, CL0P group is rumored to buy exploits on the Dark Web. However, let us ask one thing: How many of us knew about MOVEit before the massive exploitation campaigns? I would guess that apart from those readers who used it, a few probably knew about it. The majority (including me) had to research it once the zero-day was announced.
And this is one of the business methods that CL0P group is good at. While MOVEit may not have been a widely recognizable product, it was still widely used by many organizations. CL0P group did research and knew that, so they were hunting to purchase exploits relating to that product.
While it is extremely hard to talk about pure facts without having insider info, this seems to be a valid modus operandi for them, given the available information. And it would make complete sense from a business perspective, too – because exploits for less known products are much cheaper than, say zero day in MS Word. And them being cheaper, it is still a profitable business model for CL0P group.
The most popular extortion tactic so far has been the so-called ‘double-extortion tactic’, where the adversary will exfiltrate the data from the victim’s environment, encrypt the systems, and then extort/threaten the company to publicly reveal the stolen data if they do not pay the demanded ransom. The latter part makes it ‘double-extortion’, as ransomware groups no longer offer the key to decrypt the systems but also threaten to publicly release the data if demands are unmet.
However, we will circle back now to what we previously discussed, and that is the fact that ransomware groups need to stay profitable. This tends to become harder these days, as organizations are now more ‘ransomware-prone’ by simply adhering to good practices of backing up the systems. If properly backed up, they would easily restore the systems, even if encrypted – so there was no real incentive to buy the decryption key from ransomware groups.
CL0P group realized that which is why they use a method where they simply exfiltrate data without encrypting anything and then just extort victims to release the data if they do not pay up.
This method has three big advantages for threat actors:
It no longer requires writing malware that encrypts all the systems and ensures the decryption process works if the ransom is paid.
It significantly reduces the time of cyber intrusion, resulting in being able to execute attacks faster and remaining stealthier while doing so. Exfiltrating data wisely can be a very stealthy process while starting the infection process is indeed noisy.
Since the encryption process would require a few more steps in the attack chain, it opens up the possibility of attackers being caught in action or unintentionally leaving identifiable fingerprints while doing so, which is extremely bad for them.
Best Defense against CL0P Group
Due to the modus operandi relying heavily on exploiting vulnerabilities to gain initial access, there is one big recommendation we can give to our readers, and that is to patch your software and products.
However, in case of zero-day exploits, the patch may not be available in a timely manner; in that case (if you would be affected by the exploit) we would highly suggest consulting with your security teams to:
Review your cybersecurity architecture and be sure that you apply the most common best practices such Principle of Least Privilege, good network segmentation, restrictive outbound network traffic, and be sure to have monitoring capabilities on critical systems and systems that may in some way interact with those systems.
Prepare an incident response plan to deal with a potential intrusion.
Monitoring Threat intelligence feeds and develop detection mechanisms to detect exploitation attempts.
The aim would be to significantly hinder the attacker to exfiltrate the data from your environment. If you make it hard for them, they simply cannot afford to spend time dealing with the specifics of your environment – or worse, risk getting caught.