Threat Research

Ransomware Roundup – Cl0p | FortiGuard Labs

Securonix

FortiGuard Labs reviews the Cl0p ransomware group’s activities, noting a shift from encrypting victim data to data exfiltration and extortion, often tied to high-profile vulnerabilities like MOVEit Transfer (CVE-2023-34362). The report also highlights the group’s evolution, prevalence across sectors and regions, and common indicators such as specific file extensions and ransom notes, alongside defensive guidance and Fortinet solutions. #Cl0p #FIN11 #MOVEitTransfer #CVE-2023-34362 #CobaltStrike #DEWMODE #LEMURLOOT #SDBot #FlawedAmmyy #Cl0pLeaks

Keypoints

  • The Cl0p ransomware group has been active since 2019 and is linked to FIN11 (aka TA505/Snakefly), targeting North America and Europe.
  • The group is now associated with data exfiltration and extortion, sometimes without deploying the encryptor, and has set up a TOR-based leak site (CL0P^-LEAKS).

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Used MOVEit Transfer vulnerability to gain initial entry. ‘leveraged the MOVEit Transfer SQL injection vulnerability (CVE-2023-34362) to gain initial entry to victim networks.’
  • [T1566.001] Spearphishing via Email – FIN11 is known to use spear-phishing to target victims. ‘FIN11 is also known to use spear-phishing to target victims.’
  • [T1505.003] Web Shell – Deployment of web shells such as DEWMODE and LEMURLOOT. ‘web shells such as DEWMODE and LEMURLOOT’
  • [T1588] Acquire Capabilities – Use of Cobalt Strike post-exploitation tool and other tooling (DEWMODE, LEMURLOOT, SDBot, FlawedAmmyy RAT) to conduct operations. ‘The Cl0p threat actor is also associated with the use of the Cobalt Strike post-exploitation tool, web shells such as DEWMODE and LEMURLOOT, SDBot, and the FlawedAmmyy remote access trojan (RAT).’
  • [T1041] Exfiltration – Exfiltrating victim data and leveraging a data leak site; extortion based on stolen data. ‘exfiltrated data from victims and threatened them with ransom in exchange for not exposing the stolen information.’
  • [T1486] Data Encrypted for Impact – Encrypts and extorts via ransom; even when encryption is not deployed in MOVEit incident, RaaS/extortion remains. ‘Encrypts and exfiltrates victims’ files and demands ransom for file decryption and not to leak stolen files.’

Indicators of Compromise

  • [SHA-256] Cl0p ransomware – 3320f11728458d01eef62e10e48897ec1c2277c1fe1aa2d471a16b4dccfc1207, d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9, and 7 more hashes

Read more: https://www.fortinet.com/blog/threat-research/ransomware-roundup-cl0p