/
Ransomware Containment

How to Stop the Clop Ransomware Attacks With Illumio

The ransomware landscape is a complex, volatile space. Variants come and go, developers borrow and steal from each other, and affiliates add their own bespoke customizations. This can make it difficult to know who or what exactly you’re dealing with when a breach strikes. It can also make two separate attacks from nominally the same collective potentially very different from each other.

Despite all this complexity and change, one permanent over recent years has been the Clop group. It has compromised organizations as diverse as global law firms and aircraft manufacturers, accruing hundreds of millions of dollars in the process.

Fortunately for Illumio customers, we can stop Clop attacks from turning into cyber disasters. It all boils down to understanding how critical network assets communicate with each other and then blocking non-essential connections at scale.

What’s Clop all about?

Clop is one of the wealthiest ransomware groups around. Reports say money launderers connected with the outfit have tried to conceal at least $500 million. The real figure for revenues from ransomware is certain to be way higher. The malware first appeared in 2019, a variant of a previous strain known as CryptoMix. Over the succeeding years, it was set to work targeting sectors as diverse as transportation and logistics, education, manufacturing, healthcare and retail.

Clop has been associated with multiple initial access vectors in the past — from direct phishing attacks to zero-day exploits targeting a single file transfer software provider. The latter technique, highly unusual in the ransomware space, garnered the group global notoriety and many corporate victims.

One common thread linking most of these attacks is that of "double extortion." Now commonplace among ransomware actors, it was popularized by groups like Clop. In such an attack, victim organizations not only find their most sensitive data and systems encrypted, but they might also suffer a serious data breach. It effectively raises the stakes for corporate victims. You might have backups for the encrypted data. But if the bad guys have stolen sensitive IP or highly regulated customer data, that’s going to change any risk calculation significantly.

How does Clop work?

While there’s plenty of variation in Clop attacks, one particular pattern is instructive in the modus operandi of affiliates. It exploits misconfigured Active Directory (AD) systems to compromise those AD accounts with domain privileges. This provides attackers with the keys to the kingdom, enabling them to:

  • Execute remote commands such as WMI and PowerShell scripts on the compromised endpoint and any other systems connected to it via AD.
  • Maintain persistence on a compromised system by creating new accounts, or creating/modifying system processes. Threat actors could also execute commands or initialize scripts automatically on boot up or log on — on any networked asset connected via AD.

With these tools in their arsenal, Clop attackers can move fairly easily through compromised organizations, deploying the ransomware and finding and exfiltrating sensitive data. They must connect to the public internet to do so, in order to download additional tooling and upload the stolen data.

How to stop Clop

In this scenario, neutralizing the Clop threat requires security teams to gain granular insight into how their AD setup works. By removing domain privilege access from accounts that don’t need it — i.e., enforcing “least privilege” principles — they can reduce the attack surface significantly. Next, restrict the common pathways such an attack might look to exploit, including WinRM, NetBIOS and SMB.

How Illumio can help

Illumio helps some of the world’s largest organizations to thwart attacks from Clop and any other ransomware group. We do this by providing streamlined, scalable policy management to help enforce Zero Trust segmentation.

With Illumio, you can understand in real time how network assets communicate with each other and out to the public internet. Then you can make strategic decisions about which pathways to keep open and which to block — reducing the attack surface and leaving the bad guys with no good options.

In short, Illumio can help to stop Clop ransomware by:

  • Mapping all Active Directory instances and connections
  • Identifying essential inbound/outbound connections
  • Rapidly deploying policy to restrict non-essential communications at scale, and monitor any pathways that have been left open

Like most groups, Clop is resilient. Just days after a major law enforcement crackdown led to arrests, it was back up and compromising victims. The only way to tackle this kind of persistence is with sophisticated Zero Trust segmentation from Illumio.

To read more about how Illumio helps contain ransomware attacks, contact us today.

Related topics

Related articles

How to Stop the Clop Ransomware Attacks With Illumio
Ransomware Containment

How to Stop the Clop Ransomware Attacks With Illumio

Discover how the Clop ransomware variant operates and how Illumio can help your organization contain the attack with microsegmentation.

Demystifying Ransomware Techniques Using .Net Assemblies: A Multi-Stage Attack
Ransomware Containment

Demystifying Ransomware Techniques Using .Net Assemblies: A Multi-Stage Attack

Learn the fundamentals of a multi-stage payload attack using a set of staged payloads.

CCPA and Zero Trust Security for PII: Healthcare and Education
Ransomware Containment

CCPA and Zero Trust Security for PII: Healthcare and Education

9 Reasons to Use Illumio for Ransomware Containment
Ransomware Containment

9 Reasons to Use Illumio for Ransomware Containment

Discover how Illumio's real-time visibility and simple controls will rapidly reduce your biggest sources of ransomware risks, such as unused RDP ports.

How to Contain LockBit Ransomware Attacks with Illumio
Ransomware Containment

How to Contain LockBit Ransomware Attacks with Illumio

Discover how LockBit ransomware operates and how Illumio Zero Trust Segmentation contained a LockBit ransomware attack in summer 2022.

Expert Q&A: Why Do Businesses Still Pay Ransomware?
Ransomware Containment

Expert Q&A: Why Do Businesses Still Pay Ransomware?

Get an expert's perspective on the factors that lead organizations to pay ransoms despite its reputational, financial, and security risks.

Assume Breach.
Minimize Impact.
Increase Resilience.

Ready to learn more about Zero Trust Segmentation?