Clop ransomware: Who are they, and how can I stop them?

Data theft remains a serious threat to organisations of all sizes and sectors around the globe. In fact, this year is currently forecast to be one of the worst years on record for total ransomware revenue; the figure for 2023 so far already sits at 90% of 2022’s whole year revenue.

The perpetrators behind cyber attacks are typically notorious, well-funded, and skilled cyber-crime operations, such as BlackBasta, LockBit, and ALPHV. Many are financially motivated entities, intending to break into company networks to cause disruption with ransomware and steal valuable data, with the ultimate aim of extorting significant ransom sums from victim organisations. Others are politically sponsored, such as the North-Korean funded Lazarus group, who use advanced and sophisticated malware tools to cause as much harm to their targets as possible. In 2016 Lazarus famously stole $81 million from the Bangladesh central bank, in what is still one of the largest cyber attacks in history.

This year, one group in particular has risen to dominate the headlines and spread anxiety among IT and security decision makers across the world – Clop.

Who are Clop?

Clop (stylised as Cl0p) is derived from the Russian name for a bed bug – Klop. The gang’s operations were first discovered in 2019, as a ransomware-as-a-service (RaaS) operation: using an evolved form of the CryptoMix ransomware, the syndicate would break into company networks, encrypt as many of their files and data as possible, and then demand sizeable ransom fees in exchange for decrypting systems and not releasing any stolen data.

Recently, the group switched tactics, with data suggesting a slowdown of ransomware deployments. Instead of encrypting an organisation’s systems, Clop essentially goes straight into an attempt to steal as much data as possible, before threatening to leak any stolen information within a short time window if ransom demands are not met. In 2023, this strategy has not only proven effective, but also lucrative; Clop is currently forecast to make over $75 million in revenue from their ongoing campaign targeting the MOVEit file transfer service.

Exploiting zero-day vulnerabilities for successful data breaches

This brings us onto their tactics. Over the last few months, Clop have become notorious for targeting managed file transfer applications. Hundreds of organisations have fallen victim to data breaches and subsequent extortion attempts – to varying levels of success – at the hands of the Russian-speaking cyber syndicate.

The first attack wave of this nature was in December 2020, when Clop demanded ransom fees of up to $10 million after leveraging a vulnerability in the Accellion File Transfer Application in order to steal data. Over 100 companies were affected by these breaches, including the Reserve Bank of New Zealand and US supermarket giant Kroger.

More recently, the group made the headlines after targeting Forta’s GoAnywhere managed file transfer service, beginning in February of this year. By leveraging a zero-day remote code execution vulnerability, CVE-2023-0669, Clop stole data from a reported 130 organisations over a 10 day period, before moving to extortion.

Following the successes of the GoAnywhere extortion campaign, the syndicate then quickly turned their attention to Progress Software’s MOVEit managed file transfer application in May. Exploiting zero-day vulnerability CVE-2023-34362, this ransom campaign has caused even more damage, with over 600 victims (other reports suggest the true number is at least 10x the scale of the GoAnywhere campaign) and as previously mentioned, a forecasted revenue of over $75 million. The victims of the MOVEit breaches include some of the UK's largest and most well known organisations, including the BBC, British Airways, and Boots.

Some estimates believe that the true number of affected organisations numbers in the thousands, and that Clop are not done yet.

Instead of disrupting critical business operations, Clop go after an organisation’s reputation. They’ll threaten to leak business documents, trade secrets, personal information, and anything else of value that they can get their hands on.

How can you stop yourself becoming the next victim?

From a security point of view, the threat from Clop should be treated the same as all other cyber-crime operations. Clop is a sophisticated, advanced, and persistent threat actor, and therefore a comprehensive cyber security solution is essential for warding off the threat that they, and others, pose to your critical assets.

Studies show that once ransom fees are paid, victims are frequently ignored. Organisations that have suffered a ransomware attack are often left without access to unencrypted data. It’s never worth paying the ransom.

These funds should instead go towards accelerating your ransomware detection and response capabilities. A proactive cyber strategy is the only way that you can ensure your organisation is prepared to defend itself from data breaches and ransomware.

The first step of a comprehensive cyber security strategy is to ensure that you have an effective SIEM solution. Almost like an alarm system for your digital environment, a SIEM solution enhances an organisation's ability to detect, monitor, and respond to potential security threats in real-time. If an anomaly or suspicious activity is detected security teams are notified, which in turn allows proactive and quick investigation, response, and mitigation of any threats.

SIEM solutions are one of the most important parts of a security strategy. They provide unparalleled visibility into your IT environment, actively contributing to threat intelligence and incident analysis. With modern technology such as AI and machine learning integrated, SIEM solutions can recognise new attack patterns and zero day threats, such as the file transfer application vulnerabilities exploited by Clop, that traditional solutions may miss. SIEM solutions can also make decisions in milliseconds – with cyber crime being carried out at rapid pace with automation of its own, this capability is critical for preventing the escalation of a successful breach.

Leverage the power of Managed SIEM

Managed SIEM is a powerful strategy for enhancing the cyber security capabilities of an organisation. Providing access to advanced technology and skilled analysts in a cost-effective package, Managed SIEM solutions enable IT teams to extract maximum value from their security investments, leveraging 24/7 continuous monitoring so that in the event of an attack an immediate response is guaranteed.

An effective SIEM solution requires highly skilled and experienced in-house staff. The challenge is that there is a widespread shortage of professionals with cyber security skillsets – UK government research indicates that 50% of all UK businesses have at least a ‘basic’ cyber security skills gap. Not only does this make these individuals difficult to recruit, but it also makes them extremely expensive resources. Managed SIEM solutions provide you with instant access to a highly skilled team, mitigating the skills gap and ensuring that your organisation is immediately protected.

In today’s turbulent economic environment, IT budgets are only going down. Many decision makers are under immense pressure to balance optimised cyber defences with streamlined costs. Leveraging a managed service is one of the most effective ways to drive security costs down, allowing organisations to pay for the services they need without the burden of upfront costs, ongoing maintenance expenses, and high salaries. They can also easily scale up and down according to the organisation’s current needs – meaning that even through periods of change, the strength of a business’ cyber defence is not compromised.

Cyber Resilience Assessment

Celerity’s Cyber Resiliency Assessment is designed to identify gaps, strengths, & weaknesses against best practice requirements based on the NIST Cyber Security Framework, helping you to understand the risk and maturity level of your environment.

In turn, you’ll be able to create a plan to protect your business and streamline your data security processes, with a customised cyber resilience strategy that is fitted to your vision and mission.

Download the brochure here, or get in touch with us to learn about this free evaluation of your data protection strategy.