CLOP

A Real-World Ransomware Group Analysis of CLOP

Part A - A Description of the Crimes

CLOP is a highly active gang that engages in extortion and blackmail through a range of activities, using ransomware to disrupt the computer operations of targeted organisations or demanding a fee to prevent disclosure of the loss of data after stealing it, using computerised techniques.

CLOP is a cyber-enabled criminal using computers to commit crimes committed in the non-cyber world. Blackmail and extortion are traditional crimes.

Part B – Threat Actors, Modus Operandi, etc

CLOP's modus operandi is as follows:

1.       They use spear-phishing, a form of phishing tailored to the individual receiving it, perhaps using their name or other information to create a sense of familiarity. They use mass spam-type mailing seeking multiple victims to increase the chances of finding a victim who may be susceptible to a formal sounding instruction and whose technical preventative controls may not work effectively. They ask the victims to interact with email attachments, enabling various hacking tools to be deployed.

2.       Once active, These tools enable the gang to move around a network to gather data and spread ransomware.

3.       They gather a range of sensitive data to blackmail the victims.

4.       They deploy ransomware to the network and, when ready, activate it.

5.       They demand a ransom to unlock the encrypted computers and attempt to negotiate with the victims by emailing them. They even offer discounts. They threaten to release the data they have stolen into public forums, most likely hoping the victim's concerns about reputation damage will make them pay.

6.       More recently, they have started to email organisations' customers and chief executive officers to pressure the organisation to pay and to no doubt put pressure on key decision makers, a change from simply sending messages to the person who was the initial victim of the attack.

7.       They target large organisations – more likely to have the financial means and the reputation needed to make the payments.

8.       They have recently made less use of ransomware, focusing more on data publication threats instead.

9. Besides executing attacks, they have supplied malware to others in a ransomware-as-a-service business offering. They also offer access to compromised organisations to others.

Threat Actor Profile

It is challenging to build a detailed profile, as they don't do public speaking and sharing of information about themselves. They may be Russian, but members were arrested in Ukraine and South Korea. They are willing to work with others and provide services and tooling.

The members are technically highly proficient in finding and exploiting zero-day vulnerabilities. They have been known to use methods such as software supply chain attacks and were responsible for the compromise of SolarWinds, which led to malware being spread to many organisations using SolarWinds. They are known for attacking software which transmits bulk data between organisations, including Progress MOVEit, Accellion and Kitewind, exploiting poor-quality code to gain access to sensitive data, which they have used to blackmail victims.

They target large organisations with the means to pay, particularly banks, retailers, and healthcare organisations. They monetise their products through multiple revenue streams. They are known to provide excellent customer support, helping the victims understand what they should do and how to pay to secure the payment rather than being customer-focused. They require the use of cryptocurrency for the payment of ransoms. Cryptocurrency operates outside of the controls that protect regular currencies and provides a degree of anonymity. The above illustrates that CLOP clearly understands how to monetise their crimes, adapt to circumstances, and avoid money laundering, fraud detection and other controls banks use.

It is challenging to apply Dark Triad or OCEAN theories to CLOP, as meeting members of the organisation is impossible. If it could be used at an organisational level, the organisation likely focuses on self-interest (Machiavellianism). It is hard to gauge their feeling of self-importance (narcissism). Yet, their cyber attacks' publicity indicates a certain level of fame or infamy, which may make members feel important. As for psychopathy, it is clear that they seek to cause disruption, and their targets include healthcare facilities – it is unlikely they consider the real-world impacts when targeting organisations, just their need to pay the ransom.

If they are Russian and operate from within Russia, Article 61 of the Russian Constitution prohibits their deportation to other countries. While the members remain within the Russian Federation and don't commit crimes against Russian entities, they will unlikely face justice and operate with impunity.

Part C: Putting it All Together

Clop is a persistent cybercrime gang. While no one except CLOP knows how much their revenues are, if 10% of their attacks were successful, they would have an annual income of between USD75m and USD100m. They amplify the crimes of extortion and blackmail by targeting computer systems and protected data to pressure their victims.

Clop succeeds because it attacks organisations with financial means to pay, who have a sufficient pool of sensitive data for its loss to be newsworthy and are large enough for negative publicity to matter to them. They seem to have little regard for their victims' societal roles and have been willing to target hospitals and similar facilities where their actions put real lives. It is unclear where members sit on the dark triad due to a lack of information. Self-enrichment is possibly a goal; news reports serve their brand and may create a sense of fear in society. It is unclear if the Dark Triad applies collectively to individuals operating at a crime organisation level.

They attack using spear-phishing, which means they target specific victims who may have authority or high-level computer privileges to leverage. They use bulk mail to ensure they find a susceptible victim. CLOP research its targets and makes a concerted effort to breach defences. The tone of the spear phishing messages and what sort of psychological response it triggers in the victims is unclear. When using a spear phishing attack, the email would be focused, probably called by their name and perhaps with some relevant contextual information which would cause the victim to respond. CLOP makes a concerted effort to include a range of stakeholders during their attacks to ensure people in authority make the necessary decisions while under pressure from customers and colleagues.

They have and maintain strong technical proficiency and have targeted applications they know will most likely be transmitting sensitive data. They find and exploit zero-day vulnerabilities and spend time looking for such vulnerabilities.

They operate without concerns about being arrested. They are possibly Russian, which prevents extraditions in the Russian Constitution. They have affiliates in South Korea and Ukraine. Committing these crimes is low risk to the threat actors.

They operate in a business-like way. They create multiple revenue streams, having affiliates use their products to conduct their attacks against victims. They are willing to negotiate with victims and have good customer support to increase their chances of receiving the financial rewards they seek.

In conclusion, Clop is a successful criminal organisation. They leverage cyber attacks to extort money from victims. They are highly skilled at software creation and finding vulnerabilities. They adapt their attack strategies between ransomware and data theft, both with a view of receiving a payment. They operate with a network of affiliates to whom they sell their crime products. It is unclear if they empathise with their victims, but it is unlikely. They have strategies to force their victims to pay and use non-standard financial means to receive payments. They operate, most likely, from a country with a low risk of being deported to countries where they commit the crimes.  

 

References

·       https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-clop, Trend Micro, February 2022

·       https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a, CISA, 2023

·       https://www.nationalcrimeagency.gov.uk/cyber-choices, NCA, 2023

·       https://www.theguardian.com/world/2007/may/22/russia.lukeharding, The Guardian, 2007

·        http://www.constitution.ru/en/10003000-03.htm, Constitution.ru

·       https://www.vice.com/en/article/wx5eyx/meet-the-ransomware-gang-behind-one-of-the-biggest-supply-chain-hacks-ever, Lorenzo Franceschi-Bicchierai, 2021

·       https://news.sophos.com/en-us/2023/07/10/clop-at-the-top/, Sophos, 2023