Cl0p Returns, But Are They Here To Stay?

10548033459?profile=RESIZE_400xCl0p ransomware began as a part of the Cryptomix family and was first seen in the wild in 2019 operating as a Ransomware-as-a-Service (RaaS) platform.  The group has targeted international organizations including companies in the pharmaceditcal, education, technology, and industrial verticals.   

The Cl0p ransomware group had a quiet end to 2021 after being shut down following Operation Cyclone, a joint law enforcement operation involving Interpol, Europol, Ukrainian Law enforcement, United States law enforcement authorities.  The operation lead to the arrest of six suspects in Ukraine, and involved searching 20 homes, businesses, and vehicles.  According to Intel 471 the members arrested were linked to the gang as money launderers, and that the core Cl0p members are likely safe in Russia.[1]

Operation Cyclone resulted in some of the group’s infrastructure being shut down and thus a slow end to the year for ransomware infections.  After being relatively quiet early in 2022, the group jumped to the fourth most active ransomware group in April compromising 21 victims. 

There is speculation regarding motivation behind the jolt of activity from the group. One theory is the group is going out with a bang and publishing victim data from previous attacks similar to Conti. This could also be a result of Operation Cyclone as there is no way for the group to know how much information was shared with law enforcement. Following the arrests of Cl0p affiliates the group might feel threatened and motivated to publish the information that they already have. 

An alternative is that the gang has finally recouped from the law enforcement take down last year and is returning to normal activity. Perhaps this time was also used to improve their tactics.  Cl0p has been well documented since they arrived on the seen in 2019, so it is possible that they needed to make some tactical changes and used this time to scope out targets unleashing multiple attacks in quick succession.  Changes to their initial access, target selection, or encryption method would all make the ransomware more difficult to defend against.  

Pictured below is a summary of ransomware activity from the Cyber Threat Analysis Center (CTAC) by Wapack Labs, showing a jump in Cl0p’s activity in the last ninety days.

10548029656?profile=RESIZE_710xIn any case the fact remains that the group is active now and organizations should be prepared to deal with ransomware attacks.  Some best practices to keep your organization safe include:

  • Maintaining offline encrypted backups that are regularly tested.
  • Have an incident response plan and practice it.
  • Conduct regular vulnerability scans.
  • Patch and update software and operating systems.
  • Check device configurations and employ a configuration change policy.
  • Use RDP best practices.
  • Use cyber security awareness training with a focus on phishing.
  • Keep antivirus signatures up to date.
  • Use MFA where applicable and maintain a strong and enforceable password policy.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com    

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee. gotowebinar. com/register/3702558539639477516

[1] https://www.bleepingcomputer.com/news/security/operation-cyclone-deals-blow-to-clop-ransomware-operation/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance