The article analyzes how the CL0P ransomware group shifted from traditional leak sites to distributing stolen data via torrents, revealing their seed infrastructure and tradecraft. It also shows how defenders can glean insights by mapping seeders and peers, and highlights protections from Palo Alto Networks. #CL0P #MOVEitTransfer #Tor #Torrenting #Seeders #Unit42
Keypoints
- CL0P began distributing stolen data through torrent technology to speed data downloads for victims and researchers alike.
- The leak strategy evolved from onion-based leaks to magnet links and BitTorrent-like dissemination, enabling faster global access.
- The author identifies multiple seed groups and five highly probable original seeders using cross-torrent peer analysis and client strings.
- Common torrent clients (Transmission, qBittorrent, Β΅Torrent) dominate the observed seeding activity, with patterns linking hosts and victims.
- The research highlights pre-staging of data on seed boxes, with SSH and FTP activity preceding the torrent launch.
- Palo Alto Networks provides protections (Cortex XDR/XSIAM, Cortex Xpanse) and incident response support for MOVEit-related activity.
MITRE Techniques
- [T1190] Exploit Public-Facing Application β The MOVEit zero-day vulnerability leveraged by CL0P to compromise systems. Bracketed quote: βAt the end of May 2023, a software product by Progress called MOVEit was the target of a zero-day vulnerability leveraged by the CL0P ransomware group.β
- [T1090] Proxy β Use of Tor onion services to publish leaked data and remain anonymous. Bracketed quote: βThe data is then posted on a βleak site,β as shown in Figure 1, which is served via the Onion router (Tor) network.β
- [T1021.004] SSH β Observed SSH services becoming available on victim seed servers, indicating remote access possibilities. Bracketed quote: βSSH ports stopped responding on Aug. 6, 2023, and FTP ports started responding on Aug. 7, 2023.β
- [T1021.003] FTP β Use of FTP to transfer stolen data to seed boxes. Bracketed quote: βThe servers are running vsFTPd 3.0.3β¦ OpenSSH_8.4p1.β
- [T1041] Exfiltration β Exfiltration of stolen data via leak sites and torrents to external recipients. Bracketed quote: βAs of Aug. 15, 2023, they will begin publishing the stolen data through a number of new methods, including torrents.β
Indicators of Compromise
- [IOC Type] IP Address β 81.19.135.21, 81.19.135.25, and other seeds observed; context: seed group infrastructure and seeding activity.
- [IOC Type] IP Address β 95.215.0.76 and related seeds; context: hosting seed server in Saint Petersburg region.
- [IOC Type] Domain/Hostname β 44102.example.ru, 14868.example.ru, 33916.example.ru; context: TLS certificates used on seed boxes.
- [IOC Type] Domain/Hosting β pindc.ru (PIN Datacenter hosting); context: hosting provider for seed servers.
- [IOC Type] Magnet Link / Torrent β magnet URIs used to bootstrap torrent data distribution; context: torrent-based data publication.
Read more: https://unit42.paloaltonetworks.com/cl0p-group-distributes-ransomware-data-with-torrents/