To install click the Add extension button. That's it.

The source code for the WIKI 2 extension is being checked by specialists of the Mozilla Foundation, Google, and Apple. You could also do it yourself at any point in time.

How to transfigure the Wikipedia

Would you like Wikipedia to always look as professional and up-to-date? We have created a browser extension. It will enhance any encyclopedic page you visit with the magic of the WIKI 2 technology.

Try it — you can delete it anytime.

Install in 5 seconds
4,5
Kelly Slayton
Congratulations on this excellent venture… what a great idea!
Alexander Grigorievskiy
I use WIKI 2 every day and almost forgot how the original Wikipedia looks like.
Live Statistics
English Articles
Improved in 24 Hours
Added in 24 Hours
Languages
Recent
Show all languages
What we do. Every page goes through several hundred of perfecting techniques; in live mode. Quite the same Wikipedia. Just better.
Great Wikipedia has got greater.
.
Leo
Newton
Brights
Milds

Clop (cyber gang)

From Wikipedia, the free encyclopedia

Clop
AbbreviationCl0p
Formation2019
TypeHacking

Clop (sometimes written “Cl0p”) is a cybercriminal organization known for its multilevel extortion techniques and global malware distribution. It has extorted more than $500 million in ransom payments, targeting major organizations worldwide. Clop gained notoriety in 2019 and has since conducted high-profile attacks, using large-scale phishing campaigns and sophisticated malware to infiltrate networks and demand ransom, threatening to expose data if demands are not met.

Clop increasingly uses pure extortion approaches with "encryption-less ransomware". It also employs more complex attacks, such as zero-day, that have a significant impact and allows them to demand higher ransom payments.

Description

Clop is a Russian-speaking ransomware gang.[1] According to the US Cybersecurity and Infrastructure Security Agency (CISA), Clop is "driving global trends in criminal malware distribution".[2] Clop avoids targets in former Soviet countries and its malware can't breach a computer that operates primarily in Russian.[2]

In 2023, Clop uses more and more pure extortion approaches with "encryption-less ransomware" that skips the encryption process but still threatens to leak data if a ransom is not paid. This technique allows threat actors to achieve the same results and generate larger profits.[3]

Clop is used to conducting malicious activities during holidays, when the number of staff members present in companies tends to be at its lowest. This is the case of the Accellion FTA software attack on December 23, 2020, and MOVEit attack during the summer 2023.[4]

The cybercriminals declared to Bleeping Computer to have erased "right away" data concerning "the military, children's hospitals, GOV etc".[4]

History

First exploits

The gang was first spotted by researchers in February 2019. It evolved as a variant of the "CryptoMix" ransomware family. Clop is an example of ransomware as a service (RaaS). Clop ransomware used a verified and digitally signed binary, which made it look like a legitimate executable file that could evade security detection.[5]

In December 2019, the group attacked Maastricht University. The ransomware encrypted almost all Windows systems used by Maastricht University, making it impossible for students and staff members to access any university online services during the Christmas break.[6] The offenders set a ransom, which allowed a decryption of the university systems after Maastricht University paid €200,000 in a Bitcoin transfer. The lessons resumed with no delays on 6 January, with most online services again available to both students and staff members.[7] In 2020, the public prosecutor service seized the cryptocurrency account in which the ransom was paid. Once the ransom was converted from Bitcoin to Euros, the university was able to recover €500,000, double of what was paid.[8]

Accellion FTA attack (2020)

Accellion, a company providing a legacy File Transfer Appliance (FTA), experienced a series of data breaches in mid-December 2020. Threat actors took advantage of zero-day vulnerabilities and a web shell known as DEWMODE to breach the systems of up to 100 companies using Accellion's FTA. The stolen data included sensitive files.[9]

The attacks were attributed to the Clop ransomware gang and the FIN11 threat group, although no ransomware was deployed during these specific incidents. After exfiltrating the data, the attackers threatened to make the stolen information public unless a ransom was paid. Several organizations were identified as victims of these breaches, including Kroger, Singtel, QIMR Berghofer Medical Research Institute, Reserve Bank of New Zealand, ASIC, and the Office of the Washington State Auditor, among others.[9]

GoAnywhere MFT attack (2023)

In January 2023, the gang claimed responsibility for breaching over 130 organizations by exploiting a zero-day vulnerability in the GoAnywhere MFT secure file transfer tool. This security flaw, identified as CVE-2023-0669, allows attackers to execute remote code on unpatched instances of GoAnywhere MFT that have their administrative console exposed to the Internet.[10]

MOVEit exploitation (2023)

In 2023, Clop employs more complex attacks that make significant impacts and allow them to demand higher ransom payments. Specifically, the Clop gang targeted data theft by exploiting a zero-day vulnerability in MOVEit Transfer. Their objective is to overcome the overall decline in ransom payments by demanding substantial amounts from their victims.[11]

In 2023, the gang claims credit for the following hack : BBC and British Airways,[1] Estee Lauder companies,[12] 1st Source, First National Bankers Bank (USA), Putnam Investments (USA), Landal Greenparks (Netherlands), Shell (UK),[13] the New York City Department of Education,[14] and Ernst & Young.[15]

As of July 2023, the Clop ransomware gang is projected to earn an estimated $75-100 million from their extortion attacks using the MOVEit Transfer vulnerability.[11]

Methods

Clop uses big phishing campaigns. The emails contain HTML attachments that redirect recipients to a macro-enabled document used to install a loader named Get2. This loader facilitates the download of other tools such as SDBOT, FlawedAmmyy, and Cobalt Strike. Once in the system, the gang proceeds to reconnaissance, lateral movement, and exfiltration to set the stage for the deployment of their ransomware. Then Clop coerces their victim by sending emails in a bid for negotiations. If their messages are ignored, they threaten to publicize the data on their data leak website “Cl0p^_-Leaks”.[5]

Clop has more recently been reported to use TrueBot malware for access to networks. The loader deployed by the "Silence" hacker group, affects over 1,500 systems worldwide in 2023.[16]

See also

References

  1. ^ a b Lyngaas, Sean (2023-06-07). "Russian-speaking cyber gang claims credit for hack of BBC and British Airways employee data | CNN Business". CNN. Retrieved 2023-07-05.
  2. ^ a b "Ransomware Gang Haunted US Firms Long Before MOVEit Hack". Bloomberg.com. 2023-06-17. Retrieved 2023-07-05.
  3. ^ Ross Kelly (2023-06-29). "Encryption-less ransomware: Warning issued over emerging attack method for threat actors". ITPro. Retrieved 2023-07-18.
  4. ^ a b "Clop ransomware claims responsibility for MOVEit extortion attacks". BleepingComputer. Retrieved 2023-07-24.
  5. ^ a b "Ransomware Spotlight: Clop - Security News". www.trendmicro.com. Retrieved 2023-07-05.
  6. ^ "Cyber attack - a summary". Maastricht University. Retrieved 2020-05-11.
  7. ^ Bannister, Adam. "Ransomware attack: Maastricht University pays out $220,000 to cybercrooks". The Daily Swig. Retrieved 2020-05-11.
  8. ^ "Dutch university wins big after Bitcoin ransom returned – DW – 07/02/2022". dw.com. Retrieved 2023-04-21.
  9. ^ a b "Global Accellion data breaches linked to Clop ransomware gang". BleepingComputer. Retrieved 2023-07-24.
  10. ^ "Clop ransomware claims it breached 130 orgs using GoAnywhere zero-day". BleepingComputer. Retrieved 2023-07-24.
  11. ^ a b "Clop gang to earn over $75 million from MOVEit extortion attacks". BleepingComputer. Retrieved 2023-07-22.
  12. ^ "Estée Lauder beauty giant breached by two ransomware gangs". BleepingComputer. Retrieved 2023-07-22.
  13. ^ Page, Carly (2023-06-15). "Ransomware gang lists first victims of MOVEit mass-hacks, including US banks and universities". TechCrunch. Retrieved 2023-07-24.
  14. ^ "Clop ransomware gang obtained personal data of 45,000 New York City students in MOVEit hack". Engadget. Retrieved 2023-07-24.
  15. ^ "EY à son tour piraté ? Des données mises en vente". www.journaldunet.com (in French). 2023-07-07. Retrieved 2023-07-28.
  16. ^ "Clop ransomware uses TrueBot malware for access to networks". BleepingComputer. Retrieved 2023-07-22.
This page was last edited on 18 March 2024, at 20:39
Basis of this page is in Wikipedia. Text is available under the CC BY-SA 3.0 Unported License. Non-text media are available under their specified licenses. Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc. WIKI 2 is an independent company and has no affiliation with Wikimedia Foundation.
Contact WIKI 2
Introduction
Terms of Service
Privacy Policy