Clop’s Resurgence Points to New Sophistication Level Among Ransomware Groups
The group’s zero-day strategy has made it more destructive than its counterparts. Here’s what to watch out for
Many organizations around the world, of all sizes, have been reeling from the impact of a vulnerability in popular managed file transfer software MoveIT, even as the attacks continue to unfold. There has been a deluge of headlines chronicling one cyber incident after another tied to MoveIT.
It appears that the vulnerability is the work of one group: Clop. Believed to be defunct until recently, Clop’s resurgence shows that the group is more advanced than its Ransomware-as-a-Service (RaaS) peers. By exploiting zero-day vulnerabilities and gradually leaking data, the group and its affiliates have adopted a patient and stealthy approach that makes it exceptionally difficult to deal with.
In this article, At-Bay’s Cyber Research team outlines how organizations can deal with Clop’s evolution, even as their activities have become challenging to detect. By understanding the full extent of the threat that Clop poses, organizations can be better prepared to stop attacks before they start.
The group behind Clop ransomware has been around for a while. More commonly known as TA505, the group first gained the attention of security researchers in 2014 for its prolific use of Dridex, a strain of malware known for stealing banking credentials.
TA505 started using the name Clop in February 2019, becoming infamous quickly for its “double extortion” tactics: stealing and encrypting victim data, refusing to restore victim access, and publishing stolen data on its data leaks blog. Over the next two years, Clop was one of the most widely-deployed ransomware strains, with total damages reaching an estimated $500 million.
In 2020, the group began focusing on file transfer software, launching many attacks through multiple zero-day vulnerabilities in Accellion’s legacy File Transfer Appliance (FTA). In June 2021, a multi-country law enforcement operation arrested several alleged members of the RaaS group’s operations. That action forced Clop to heavily pull back on launching attacks, with other variants filling the void.
A Unique Approach: More FTA Zero-Days
Managed file transfer software, which allows data to move through a system while also adhering to integrity and compliance statutes, has become a target for Clop.
The group has re-asserted itself due to its unique targeting of zero-day vulnerabilities in file transfer products similar to Accellion. In late January 2023, Clop was spread via a zero-day vulnerability to target the GoAnywhere MFT platform. According to the U.S. Department of Homeland Security, that zero-day vulnerability was leveraged to steal data from approximately 130 victims over the course of 10 days.
On May 31, a zero-day vulnerability in Progress Software’s MOVEit Transfer was publicly disclosed. This exploit resulted in the theft of corporate data from a slew of organizations, including Siemens Electric, payroll service provider Zellis, networking company Extreme Networks, and various government agencies on the federal and state level.
Clop’s ability to find these vulnerabilities and develop exploits targeted toward a specific piece of software is a remarkable shift in the Ransomware-as-a-Service ecosystem.
As financially-motivated threat actors generally target “low-hanging fruit,” the majority of ransomware attacks target vulnerabilities that have long been public. The team behind Clop is now exhibiting characteristics more aligned with a nation-state attack group or advanced persistent threat (APT) rather than a typical RaaS syndicate.
Clop follows a specific playbook to ensure victims have a strong incentive to pay a ransom. By leveraging zero-day vulnerabilities, Clop can adopt a patient and stealthy approach distinct from other ransomware groups that rely on public vulnerabilities in order to attack a high volume of targets.
There is evidence that Clop has carried out this strategy for years. Cyber advisory firm Kroll discovered evidence that the group had been testing the MoveIT vulnerability since 2021. This aligns with the group’s timeline of similar vulnerabilities, particularly the attacks that targeted FTA Accellion vulnerability.
Additionally, Clop has been moving away from encryption-based attacks. Recently, attackers using Clop employed a “data extortion” strategy, where ransom demands are made in exchange solely for stolen data to remain out of the public domain. At-Bay’s Cyber Research Team has observed several attacks launched by Clop that have not used encryption to lock an organization’s system.
A Difficult-to-Detect Technique
Most RaaS groups rely on known vulnerabilities, adding more affiliates in an effort to launch as many attack attempts as possible. This expansion means that with a higher volume of attacks, the likelihood of operational errors or information leaks also increases, leading to an increased probability that law enforcement will apprehend and upend the groups.
However, Clop has shifted to a new strategy that takes the opposite approach. The group relies on zero-day development and data extortion, keeping a small number of highly skilled actors on its payroll who work to develop their own zero-days instead of searching for vulnerabilities that have been released but not patched. This has made detecting activity associated with the group challenging.
At-Bay’s Cyber Research Team believes it’s reasonable to assume that Clop possesses more zero-day exploits for more sensitive file transfer products. Given that the frequency of ransomware attacks is starting to rise year-over-year, we expect to see some of these zero-days deployed before the end of the year.
There’s no silver bullet for stopping zero-day vulnerabilities. However, a comprehensive InsurSec approach that includes insurance and security can significantly reduce the risk of attacks and vastly mitigate the damages that may result from ransomware groups leveraging previously unknown flaws in software.
An At-Bay Cyber Insurance policy, which combines insurance coverage with world-class cyber security technology to offer end-to-end prevention and protection. This is why At-Bay policyholders are 5X less likely* to be hit with a ransomware attack. We can help you build the right security posture while defending against ransomware syndicates like Clop, and our in-house security experts can provide guidance on monitoring for vulnerabilities, and help you minimize your exposure in an ever-changing threat landscape.
* Frequency Based on Primary and Excess Cyber and Tech Errors & Omissions losses reported and exposure earned through 9/30/2022, evaluated as of 10/1/2022, and 2020-2021 industry analysis.