A look at Cl0p.
By Tim Nodar, CyberWire senior staff writer.
Jul 24, 2023

A prominent Russophone gang shifts its extortion strategy.

A look at Cl0p.

Fortinet’s FortiGuard Labs has published a report on the Cl0p ransomware gang. The Cl0p ransomware is associated with the FIN11 cybercrime group, and appears to be a descendent of the CryptoMix ransomware. The gang has been conducting a widespread data theft extortion campaign leveraging a recently disclosed MOVEit Transfer vulnerability (CVE-2023-34362).

A shift in extortion strategy.

The gang recently shifted its monetization strategy, and now focuses on stealing data for extortion rather than executing ransomware: “At some stage in its operations, the FIN11 group revised its strategy of deploying ransomware and shifted to purely exfiltrating information from victims for extortion. In fact, there is no evidence that the Cl0p ransomware was deployed when the MOVEit Transfer vulnerability was recently exploited.”

Cl0p currently has over 400 victims listed on its data leak site, most of which are located in the US and Europe: “According to data collected through Fortinet's FortiRecon service, the Cl0p ransomware group preyed on several industry sectors between January and June 2023, with business services leading the way, followed by software and finance. When victim organizations are classified by country, the United States is in first place by a significant margin.”

Two methods of exfiltration.

Researchers at Kroll are tracking two different methods used by Cl0p to exfiltrate data via the MOVEit vulnerabilities:

“In the vast majority of Kroll’s global MOVEit investigations, the primary data exfiltration method consisted of utilizing the dropped web shell to inject a session or create a malicious account. From there, threat actors were able to reauthenticate and use the MOVEit application itself to transfer files.

“However, in a few instances, Kroll identified an additional and distinctly different methodology used to exfiltrate data that left markers in the available logging and required a separate approach for analysis versus the more broadly leveraged and primarily used methodology. Kroll has also analyzed the Python script leveraged by CLOP to exfiltrate data during its initial wave of coordinated and largely automated attacks across MOVEit servers globally.”

This second method involves the installation of a web shell to exfiltrate the data:

“The web shell, dropped by the threat actors during exploitation of CVE-2023-34362, contains built-in data exfiltration capabilities. As opposed to the more commonly observed method, data exfiltration via this mechanism creates distinct indicators of compromise due to its direct interaction with the MOVEit API. Kroll investigators have identified forensic artifacts consistent with the use of this capability in approximately 5% of Kroll’s global MOVEit engagements.”