If your organization has received a ransomware demand, CL0P may be a familiar name. In 2023, CL0P was the third most prolific ransomware gang, after Lockbit and ALPHV.
The Russia-linked CL0P cybercrime organization has become one of the most successful ransomware organizations in the world. Using a Ransomware-as-a-Service model (RaaS), CL0P affiliates can pay a deposit and use the CL0P ransomware to hack organizations and steal data, which are then held as ransom for multimillion dollar payments. If victims fail to pay the demanded ransoms, then the stolen data is posted on the “CL0P^_-LEAKS” site.
Since 2019, CL0P has utilized this “double extortion” tactic- stealing data and threatening to leak it. Other ransomware gangs have also engaged in “triple extortion.” This additional step involves threats to engage in Distributed-Denial-of-Service (DDoS) attacks that would shut down systems and render them inoperable, thereby increasing pressure on victims to comply with attackers’ demands.
CL0P has now begun using “quadruple extortion” techniques. In addition to the above, if victims do not comply, then CL0P will send messages to harass customers, business partners, employees, media, and high-level executives to notify them that the organization was hacked. These methods have led to a rise in average ransomware payments.
Targeting some of the world’s largest organizations, the CL0P ransomware gang has focused on the financial, manufacturing, and healthcare industries. Last May, CL0P gained notoriety for exploiting vulnerabilities in the MOVEit managed file transfer solution, extracting sensitive data from U.S. government agencies, schools, healthcare, and major firms. Earlier in 2023, the CL0P ransomware group exploited a similar zero-day vulnerability in the Fortra GoAnywhere managed file transfer platform and sent ransom notes to company executives.
CISA and the FBI recommend the following cybersecurity measures to mitigate CL0P cyber threats:
- Inventory assets and data to identify authorized and unauthorized devices and software.
- Grant administrative privileges and access only when necessary, and execute only legitimate software applications.
- Monitor the network and activate security configurations on network infrastructure devices.
- Regularly patch and update software and application.
- Conduct regular vulnerability assessments.
