The ransomware landscape is a complex, volatile space. Variants come and go, developers borrow and steal from each other, and affiliates add their own bespoke customizations. This can make it difficult to know who or what exactly you’re dealing with when a breach strikes. It can also make two separate attacks from nominally the same collective potentially very different from each other.
Despite all this complexity and change, one permanent over recent years has been the Clop group. It has compromised organizations as diverse as global law firms and aircraft manufacturers, accruing hundreds of millions of dollars in the process.
Fortunately for Illumio customers, we can stop Clop attacks from turning into cyber disasters. It all boils down to understanding how critical network assets communicate with each other and then blocking non-essential connections at scale.
What’s Clop all about?
Clop is one of the wealthiest ransomware groups around. Reports say money launderers connected with the outfit have tried to conceal at least $500 million. The real figure for revenues from ransomware is certain to be way higher. The malware first appeared in 2019, a variant of a previous strain known as CryptoMix. Over the succeeding years, it was set to work targeting sectors as diverse as transportation and logistics, education, manufacturing, healthcare and retail.
Clop has been associated with multiple initial access vectors in the past — from direct phishing attacks to zero-day exploits targeting a single file transfer software provider. The latter technique, highly unusual in the ransomware space, garnered the group global notoriety and many corporate victims.
One common thread linking most of these attacks is that of "double extortion." Now commonplace among ransomware actors, it was popularized by groups like Clop. In such an attack, victim organizations not only find their most sensitive data and systems encrypted, but they might also suffer a serious data breach. It effectively raises the stakes for corporate victims. You might have backups for the encrypted data. But if the bad guys have stolen sensitive IP or highly regulated customer data, that’s going to change any risk calculation significantly.
How does Clop work?
While there’s plenty of variation in Clop attacks, one particular pattern is instructive in the modus operandi of affiliates. It exploits misconfigured Active Directory (AD) systems to compromise those AD accounts with domain privileges. This provides attackers with the keys to the kingdom, enabling them to:
- Execute remote commands such as WMI and PowerShell scripts on the compromised endpoint and any other systems connected to it via AD.
- Maintain persistence on a compromised system by creating new accounts, or creating/modifying system processes. Threat actors could also execute commands or initialize scripts automatically on boot up or log on — on any networked asset connected via AD.
With these tools in their arsenal, Clop attackers can move fairly easily through compromised organizations, deploying the ransomware and finding and exfiltrating sensitive data. They must connect to the public internet to do so, in order to download additional tooling and upload the stolen data.
How to stop Clop
In this scenario, neutralizing the Clop threat requires security teams to gain granular insight into how their AD setup works. By removing domain privilege access from accounts that don’t need it — i.e., enforcing “least privilege” principles — they can reduce the attack surface significantly. Next, restrict the common pathways such an attack might look to exploit, including WinRM, NetBIOS and SMB.
How Illumio can help
Illumio helps some of the world’s largest organizations to thwart attacks from Clop and any other ransomware group. We do this by providing streamlined, scalable policy management to help enforce Zero Trust segmentation.
With Illumio, you can understand in real time how network assets communicate with each other and out to the public internet. Then you can make strategic decisions about which pathways to keep open and which to block — reducing the attack surface and leaving the bad guys with no good options.
In short, Illumio can help to stop Clop ransomware by:
- Mapping all Active Directory instances and connections
- Identifying essential inbound/outbound connections
- Rapidly deploying policy to restrict non-essential communications at scale, and monitor any pathways that have been left open
Like most groups, Clop is resilient. Just days after a major law enforcement crackdown led to arrests, it was back up and compromising victims. The only way to tackle this kind of persistence is with sophisticated Zero Trust segmentation from Illumio.
To read more about how Illumio helps mitigate ransomware risk, check out our ebook, How to Stop Ransomware Attacks.