Skip to main content

In recent years cl0p ransomware has become a major cybersecurity threat, causing significant damages for a wide range of organizations and industries across the world. While cl0p virus attacks generally operate in a similar manner as other ransomware attacks, there are some specific differences.

But what exactly is ransomware cl0p and how do these attacks work? And, perhaps more pertinently, what can organizations do to minimize the chances of falling victim to these attacks which can have significant financial repercussions?

A Short History of CL0P Ransomware

Cl0p—sometimes written as cl0p, with the zero numeral—is a type of ransomware or extortionist malware. Though not exactly the same as CryptoMix, cl0p ransomware is believed to have been modeled on this malware that predates it. Now, though, the trojan has gone through several iterations and new versions quickly replace previous ones.

Cl0p was discovered by security researchers in February 2019 in the wake of a major spear-phishing attack. It was—and continues to be—a major cybersecurity threat to all types of businesses and organizations because of the way it corrupts files on the victims’ devices and extorts financial payments. In fact, it is believed that using their specific malware, the cl0p ransomware group has extorted money from global energy conglomerates, several major universities, the BBC, British Airways, and various government agencies.

In 2020, the cl0p ransomware group carried out an attack to exploit vulnerabilities in the Kiteworks (formerly Accellion) private content network to target the platform’s clients and infiltrate their networks.—though, the clop malware itself was not deployed in this attack. At the same time, the originators of the cl0p trojan launched a double extortion scheme, leaking the data stolen from a pharmaceutical company in a massively destructive attack.

This was followed in 2021 by attacks on SolarWinds, a software company offering IT management to various businesses, and Swire Pacific Offshore, a Singapore-based marine services provider.

In 2023, Clop's activity surged compared to previous years. From January to June 2023, the trojan was used to attack victims across various industries, with business services leading, followed by software and finance. Many of the victims were in North America and Europe, with the U.S. experiencing the highest number of attacks by a significant margin.

The scale of the attack was significant, with over 2,000 organizations reporting incidents, impacting more than 62 million individuals whose data was leaked, predominantly in the United States.

The series of ransomware attacks by the Cl0p group through the MOVEit file transfer software vulnerability (CVE-2023-34362) reached its peak: the attackers claimed to have breached hundreds of companies and issued an ultimatum until June 14. The zero-day allowed the mass download of organizations' data, including various confidential information. American law enforcement authorities decided to offer a reward of $10 million for information regarding Cl0p.

What is Cl0p?

So, what is cl0p? Cl0p ransomware analysis shows that it is a variation of the CryptoMix ransomware. Like the malware on which it is based, the cl0p virus infects the targeted device. However, in this case, the ransomware renames all files with the .cl0p extension and ,encrypts them and rendering them unusable.

To effectively carry out its attacks, cl0p ransomware conforms to the Win32 PE (Portable Executable) format of executable files. Crucially, researchers have discovered cl0p virus executables with verified signatures which give it a legitimate appearance and help the malware evade detection by security software. Cl0p then encrypts files with the RS4 stream ciper and then uses RSA 1024 to encrypt the RC4 keys. All files on a device are at risk during this type of ransomware infection, including images, videos, music, and documents.

After encrypting the files, the cl0p virus issues a ransom from the attacker to the victim. If this ransom is not paid, then the attacker threatens to leak the data from these files. This is what is known as “double extortion” because of the dual-layer tactic of rendering the victim’s files and threatening to leak the data publicly. Victims are usually instructed to pay the ransom with Bitcoin or another cryptocurrency.

Who is behind cl0p ransomware?

But who is cl0p ransomware? Cl0p ransomware is believed to have been developed by a Russian-speaking ransomware-as-a-service cybercriminal group that is primarily motivated by financial gain. The group is usually known as TA505, though this is often used interchangeably with the name FIN11. However, it is not entirely clear whether they are the same group, or whether FIN11 is a subset of TA505.

Whichever name they go by, this cl0p ransomware gang operates its product on the Ransomware-as-a-Service model. As such, the cl0p virus is available for sale on the dark web and can technically be used by any cybercriminal who is willing to pay for the ransomware.

Cl0p ransomware: How it Works

The cl0p ransomware group essentially perpetrates its attacks as a multiple-step process. These are:

  1. The attackers use the malware to gain access to the targeted device using various methods.
  2. They then manually conduct reconnaissance on the device and steal the data they want.
  3. At this point, they launch the encryptor to locks files on the targeted device by changing their extension, rendering them unusable. More recently, as in the case of the 2023 attacks through file transfer software MOVEit, data has been stolen without files being encrypted.
  4. When the victim tries to open one of the encrypted files, they receive a ransom note with instructions on how to make the payment.
  5. The attacker uses “double extortion”, threatening to leak data stolen from the victim’s device if the ransom is not paid.
  6. If the ransom is paid, the victim receives a decryption key which restores the files on their device.

Attackers use various methods to deliver the cl0p ransomware to targeted devices. These might include:

  • Phishing (using social engineering techniques)
  • Exploiting software vulnerabilities
  • Infected email attachments and links
  • Infected websites
  • Compromising of the external remote services

Whichever method they choose to deliver the cl0p trojan to the targeted device, the resulting attack operates in essentially the same way. The aim is always to receive a ransom payment from the victim. However, in many cases, the attacker takes the payment and becomes non-responsive. In these instances, the victim does not receive the decryption key and cannot regain access to their files.

Preventing CL0P Ransomware

It is crucial for all device users to follow basic computer safety provisions to avoid a cl0p infection. In general, these are the same principles that apply to preventing all types of cyberattacks, such as:

  • Include malware threats in organizational security awareness training to ensure employees stay up to date on the latest threats and preventative measures – Kaspersky Automated Security Awareness Platform can be a useful tool.
  • Protect company data, including limiting access controls.
  • Do not access remote desktop services using public networks – if necessary, use strong passwords for these services.
  • Always backup data and store it in a separate location, such as on cloud storage or external drives in back offices.
  • Keep all software and applications, including operating systems and server software, up to date to ensure the latest security patches are installed—it is especially important to immediately install patches for commercial VPN solutions that allow employees to remotely access organizational networks; automated updates and installations scheduled during non-office hours can be useful here.
  • Stay up to date on the latest threat intelligence reports.
  • Use software solutions like Kaspersky Endpoint Detection or Kaspersky Managed Detection and Response Service for early threat detection to identify and stop attacks in the early stages.
  • Use trustworthy endpoint security solutions - Kaspersky Endpoint Security for Business incorporates exploit prevention, behavior detection using AI and expert threat intelligence, reduction of attack surfaces, and a remediation engine that can undo malicious actions.

Dealing with the CL0P Ransomware virus

Once a device is infected with the cl0p virus, there is unfortunately very little that can be done to regain access to its files. As with any type of ransomware attack, the general advice is to not pay the requested ransom. This is because the attackers often do not provide the decryption key after receiving the ransom payment. Even if they do, the success of the attack gives them the confidence and encouragement to continue these attacks on other unsuspecting victims.

Instead of paying the ransom, it is usually best to contact the authorities to report the attack and begin an investigation. It is also possible to use one of the many widely available software to scan the device and remove the CL0P ransomware. However, this does not restore files that were encrypted during the attack. As such, it is important to create regular backups and store them in a separate location – such as an external drive or on the Cloud – so that they are still available in case of an attack.

Caution is always essential when it comes to your computer safety. It is important to pay attention when browsing the internet and downloading, installing, and updating software.

The Threat of Cl0p

Cl0p ransomware, like other types of viruses and malware, is a persistent cybersecurity threat in a society that is now largely digital. The cl0p virus is one very specific threat in a superfluity of extortionary malware, but one that is of particular concern to businesses and organizations. While it may have severe implications for its victims, there are some preventative measures and safeguards that can be implemented to try and minimize the risk of attacks from cl0p or mitigate the effects in case of an attack.

Related articles:

Related products and services:

CL0P Ransomware: What is it and how does it work?

Minimize the threat of cl0p ransomware by learning how it works and how to prevent these attacks. Find out more on the Kaspersky Resource Center.
Kaspersky Logo