Clop is a ransomware gang that first appeared in February 2019 when security researchers found new ransomware strains with the .Cl0p extension. A spate of prolific and high-profile attacks within a short period of time ensured the gang quickly made a name for itself. This article analyzes Clop’s operations and highlights some high-profile attacks carried out by the gang.

Clop: Operations and Ransomware Analysis

The gang’s members are Ukrainian, and they previously used a ransomware strain known as CryptoMix. The initial attack vector that provides access to a victim’s network is often a spam email, notification about fake software updates, or a more targeted spear-phishing campaign. After a victim downloads a malicious file, such as a macro-enabled email attachment, the group then deploys reconnaissance, lateral movement, and data exfiltration techniques before finally delivering a ransomware payload that encrypts affected systems.

Despite security researchers detecting Clop ransomware in February 2019, the group’s dark web leak site didn’t appear online until over one year later in March 2020. This leak site creates extra pressure on victims to pay up by publicly disclosing small samples of stolen data.

This ransomware strain tries to evade detection on endpoint systems by attempting to disable Windows Defender and remove other Microsoft security tools found on devices running older operating systems. The point at which ransomware is about to be installed is often too late in the game, however, organizations with Windows 10 can defend against attempts to disable Windows Defender by ensuring Tamper Protection is switched on for all endpoint devices connected to the network.

Unlike several of today’s other well-known ransomware gangs, Clop doesn’t operate a ransomware-as-a-service model. The group carved its own path and decided to keep all profits for its members, which indicates a relatively large operation.    

High-Profile Clop Attacks

Utility Trailer Manufacturing, May 2021

 Utility Trailer Manufacturing designs and manufactures refrigerated freight vans, flatbed trailers, and other semi-trailers. In business since 1914, the company is the leading refrigerated trailer manufacturer in the United States.

In May 2021, the company suffered a cyber attack that temporarily disrupted systems and resulted in sensitive data exfiltration. A post on Clop’s dark web leak site disclosed up to five gigabytes worth of personal information about Utility Trailer’s employees. The leaked data included compensation claims, termination records, and even tax forms. Often, these initial leaks represent a small snippet of the exfiltrated data; threat actors hope to scare victims into paying up so that more of their data doesn’t make it to the public domain.

Shell, March 2021

 Oil giant Shell became arguably Clop’s most high-profile victim as part of a supply chain attack that impacted multiple organizations around the world. The incident occurred when Clop managed to compromise the Accellion file-sharing service with the aid of another threat group known as Fin 11.

The Shell incident didn’t result in any IT disruptions for the oil and gas producer because Clop opted not to install its ransomware strain on any systems. This was an attack that solely focused on exfiltrating sensitive data and demanding a ransom for it. Shell disclosed the attack in March 2021, but the data exfiltration probably happened a few months prior. Posts on Clop’s dark web leak site showed passport scans belonging to Shell employees among the stolen data.  

 University of Colorado, March 2021

 The University of Colorado also impacted by the same supply chain cyber attack as Shell. Details of students’ grades and social security numbers from the school began appearing online in March 2021, which aligned with the university’s public disclosure a month previously that it was impacted by the Accellion file transfer service breach. Reports suggest that the Clop gang demanded a $10 million ransom payment to prevent further data leaks.

 Symrise, December 2020

In an incident bearing the hallmarks of a more traditional double extortion attack, German flavor and fragrance developer Symrise AG became the latest Clop victim in an attack that took place in December 2020. After almost 1,000 devices became unusable due to encryption, Symrise had to halt production and shut down IT systems to contain the spread of ransomware.

Before spreading its ransomware strain in Symrise’s network, the Clop gang managed to exfiltrate 500 gigabytes of unencrypted files from Clop’s IT systems. Once again, Clop used its dark web leak site to post details of stolen files to entice Symrise to pay up.

E-Land Retail, November/December 2020

 E-Land Retail is part of a South Korean conglomerate that produces and distributes consumer goods, including apparel and housewares. In November 2020, a company statement revealed that E-Land Retail was the latest victim of Clop’s targeted ransomware attacks. According to the statement, a compromised server had to be shut down.

Just one month later, further details emerged stating Clop gang members managed to infiltrate E-Land Retail’s network up to one year before the ransomware incident. During this initial infiltration, threat actors managed to install malware on Point of Sale (POS) systems. This malware enabled the gang to steal credit card details belonging to up to two million E-Land retail customers.

This attack demonstrates how evasive threat actors can lurk for lengthy periods in your network before eventually striking servers and other critical systems with their ransomware payloads. 

Software AG, October 2020

 In another Clop attack hitting a German company, prolific software development company Software AG fell victim to the gang’s operations. A press release mentioned that internal Software AG systems were impacted by the attack but that customer-facing services were unaffected.

The hackers also managed to get their hands on company data in the attack on Software AG, which led to a substantial ransom demand of approximately $23 million. Mirroring previous double extortion incidents in which victims refused to pay up, Clop’s members soon began releasing data on the dark web. The leaked data included details about some of Software AG’s near 5,000 employees.

The Demise of Clop

In June 2021, it appeared that Clop became a victim of its own success in targeting large organizations. Authorities in Ukraine closed in and apparently arrested six of the gang’s members as part of a collaborative effort involving international law enforcement and the Binance cryptocurrency exchange. South Korean and US authorities were also involved, which perhaps reflects the fact that major organizations in these countries were victims of Clop’s operations.

The role of Binance appears particularly significant in that its behavioral analysis on crypto transactions uncovered details of over $500 million in laundered ransom payments, which helped with tracking down the perpetrators.

A press release published by Ukrainian authorities indicated a degree of closure to Clop’s operations in that they alluded to shutting down the gang’s infrastructure. However, six days after the arrests, one prominent cybersecurity reporter Tweeted that a new victim appeared on Clop’s ransomware leak site. The operation to take down Clop appears to have been unsuccessful. It’s likely that the people arrested did not include all core members of the gang.

Closing Thoughts

Whether Clop emerges again and in what form remains to be seen. It is likely that the threat actors are biding their time and waiting for the right opportunity to strike. The use of spam emails and spear-phishing campaigns makes dedicated anti-phishing email security solutions a critical tool in efforts to prevent ransomware attacks like those carried out by Clop. 

To learn more about IRONSCALES’ award-winning anti-phishing solution, please sign up for a demo today at https://ironscales.com/get-a-demo/.