Tag: clop | Page 3

National Critical Infrastructure Under Attack: Clop Ransomware

September 9, 2022/in Internet Security

On August 15, 2022, a U.K. water supplier suffered disrupted essential services within their corporate IT systems. The hackers used a remote access software platform that had been dormant for months.

This is another NCI nation-state ransomware attack.

The recent criminal cyber activity on the IT infrastructure on Monday caused a U.K. water supplier to experience a disturbance in its corporate IT systems. The company insists that its water delivery was unaffected. The UK water company confirmed they activated their continuity of operations plan and cybersecurity response plan, along with notifying the United Kingdom’s legal authorities.

According to a report on Bleepingcomputer, the Clop ransomware gang claimed responsibility for an attack on a U.K. water company. The cybercriminals claim the Thames Water and not South Staffordshire was the target. The fallout from the cyber attack against the UK water system

The SCADA systems were allegedly breached by the Clop ransomware, which threatened to harm the consumers of the UK water supply. Despite not encrypting the PCs of its victims, the gang claims to have accessed 5 Terabytes of data during the attack. Even with several layers of critical infrastructure controls, this type of activity continues to be a global problem, not just in the UK.

Clop is a ransomware variant of the CryptoMix developed in Russia. Clop employs several strategies to evade discovery and prevent analysis. To prevent the file from executing if it detects that it is running in an emulated environment, the virus uses anti-analysis and anti-virtual machine (VM) tactics. Additionally, the ransomware tries to deactivate Windows Defender and remove Microsoft Security Essentials.

As Industrial systems connect with the internet to leverage cloud analytics, the devices have become more vulnerable to cyberattacks. Industrial control systems (ICS) and the internet of things (IoT) are specifically vulnerable to cyber threats because of improper OT security systems and vulnerabilities within the product.

During production, critical infrastructure equipment such as intelligent building control systems, fire and safety systems, traffic control systems, intelligent…

Source…

Clop ransomware gang is back, hits 21 victims in a single month

May 28, 2022/in Internet Security

Ransomware

After effectively shutting down their entire operation for several months, between November and February, the Clop ransomware is now back, according to NCC Group researchers.

“CL0P had an explosive and unexpected return to the forefront of the ransomware threat landscape, jumping from the least active threat actor in March to the fourth most active in April,” NCC Group said.

This surge in activity was noticed after the ransomware group added 21 new victims to their data leak site within a single month, in April.

“There were notable fluctuations in threat actor targeting in April. While Lockbit 2.0 (103 victims) and Conti (45 victims) remain the most prolific threat actors, victims of CL0P increased massively, from 1 to 21,” NCC Group added.

Clop’s most targeted sector was the industrial sector, with 45% of Clop ransomware attacks hitting industrial organizations and 27% targeting tech companies.

Because of this, NCC Group’s strategic threat intelligence global lead Matt Hull warned orgs within the ransomware group’s most targeted sectors to consider the possibility of being this gang’s next target and prepare accordingly.

However, despite already leaking data from almost two dozen victims, the ransomware group doesn’t seem very active based on the number of submissions on the ID Ransomware service.

*Clop ransomware activity (ID Ransomware)*

Part of a shutdown process?

While some of the recent victims are confirmed to be new attacks, one theory is that the Clop gang might finally be shutting down their operation after being inactive for so long.

As part of this process, the ransomware gang would likely publish the data of all previously unpublished victims.

This is similar to what the Conti group appears to be doing right now as part of their own ongoing shutdown.

Whether these are old or new victims will likely be confirmed if they release breach notifications or publish confirmations (some of them have already done it).

Who is Clop?

The Clop ransomware gang’s activity lull is easily explained by some of its infrastructure getting shut down in June 2021 following an international law enforcement operation codenamed Operation Cyclone coordinated by the INTERPOL.

Six individuals…

Source…

Operation Cyclone deals blow to Clop ransomware operation

November 7, 2021/in Internet Security

Man in handcuffs

A thirty-month international law enforcement operation codenamed ‘Operation Cyclone’ targeted the Clop ransomware gang, leading to the previously reported arrests of six members in Ukraine.

In June, BleepingComputer reported that Ukrainian law enforcement arrested members of the Clop ransomware gang involved in laundering ransom payments.

This Friday, new information came to light regarding how the operation was conducted and the law enforcement agencies involved.

Interpol’s Operation Cyclone

The transcontinental operation named ‘Operation Cyclone’ was coordinated from INTERPOL’s Cyber Fusion Centre in Singapore, with assistance from Ukrainian and US law enforcement authorities.

This operation targeted Clop for its numerous attacks against Korean companies and US academic institutions, where the threat actors encrypted devices and extorted organizations to pay a ransom or have their stolen data leaked.

In December 2020, Clop conducted a massive ransomware attack against E-Land Retail, a South Korean conglomerate, and retail giant, causing 23 out of 50 NC Department Store and NewCore Outlet retail stores to temporarily close. They later claimed to have stolen 2,000,000 credit cards from the company using point-of-sale malware.

More recently, Clop used a vulnerability in the Accellion secure file transfer gateway to steal confidential and private files of corporations and universities. When $10 million+ ransom demands were not paid, the threat actors publicly released students’ personal information from numerous universities and colleges.

**Clop ransom note used in Accellion extortion demands**

The US education institutions targeted in the Accellion attacks included the University of Colorado, University of Miami, Stanford Medicine, University of Maryland Baltimore (UMB), and the University of California.

Through intelligence sharing between law enforcement agencies and private partners, Operation Cyclone led to the arrest of six suspects in Ukraine, the search of more than 20 houses, businesses, and vehicles, and the seizure of computers and $185,000 in cash assets.

The operation was also assisted by private partners, including Trend Micro, CDI, Kaspersky Lab, Palo Alto…

Source…