Clop ransomware was a type of malware that encrypted files on infected computers and demanded ransom payments in cryptocurrency to decrypt them. First observed in early 2019, Clop ransomware targeted organizations worldwide, with a particular focus on the healthcare, manufacturing, and financial sectors. At its peak, Clop was considered one of the most destructive and costly ransomware strains active globally.
History and Development
Clop ransomware is believed to have first appeared in February 2019, when it was identified by cybersecurity researchers. The ransomware was named for its use of the .clop extension on encrypted files. Clop is classified as a “big game hunting” ransomware due to its focus on larger organizations that are more likely to pay substantial ransoms.
The creators of Clop ransomware utilized complex techniques to evade detection, including the use of legitimate utilities like PowerShell and graphical tools to delete volume shadow copies on infected systems. This prevented victims from restoring encrypted files from backups. The ransomware payload was also delivered via sophisticated means, including exploit kits and compromised Remote Desktop Protocol (RDP) access.
Over time, Clop ransomware operators improved their tactics, including shifting away from mass email campaigns towards more targeted attacks on vulnerable organizations identified through prior reconnaissance. The ransom amounts demanded also increased, with some victims facing ransom demands in the millions of dollars.
Attacks and Victims
Clop ransomware operators pursued a “big game hunting” strategy, targeting larger organizations in sectors like healthcare, manufacturing, and finance that were more likely to pay substantial ransoms. While Clop infections were detected around the world, researchers noted particular activity against organizations in the United States, Western Europe, and South America.
Some of the more high-profile victims of Clop ransomware include:
– Healthcare organizations: At least 5 hospitals and healthcare networks in the U.S. suffered major disruption due to Clop ransomware attacks in 2019 and 2020. These included data breaches impacting sensitive medical information.
– Manufacturing firms: Several manufacturing companies had operations crippled by Clop ransomware. These included Japanese conglomerate Fujifilm and Finnish electronics firm Valmet.
– Government agencies: Clop ransomware breached computer systems of government bodies like the Harris County District Attorney’s Office in Texas and the city of Hartford, Connecticut. Sensitive data may have been compromised.
– Universities: The University of California San Francisco paid $1.14 million in ransom to recover data encrypted by Clop. Other universities like the University of Utah were also impacted.
The number of organizations victimized by Clop ransomware likely numbers in the hundreds, if not thousands. But many incidents go unreported due to the sensitivity around ransomware attacks.
Ransom Demands
In line with their “big game hunting” strategy, Clop ransomware operators made extraordinarily high ransom demands of their victims, ranging from the hundreds of thousands to millions of dollars. The criminals demanded payments in cryptocurrencies like Bitcoin and Monero to evade detection.
Some examples of known Clop ransomware ransom demands include:
– $6 million from Japanese tech firm Fujifilm
– $1.14 million from University of California San Francisco
– $600,000 from the City of Hartford, CT
– $400,000 from cigarette maker British American Tobacco
These amounts only reflect cases that have been publicly reported. They provide an indication of the exorbitant ransoms Clop extorted from its victims. Many organizations secretly negotiate and pay ransoms without reporting breaches.
| Victim | Ransom Demand |
|---|---|
| Fujifilm | $6 million |
| University of California San Francisco | $1.14 million |
| City of Hartford, CT | $600,000 |
| British American Tobacco | $400,000 |
This table shows reported ransom demands from select high-profile Clop ransomware victims.
Impact of Attacks
Clop ransomware attacks often had devastating impacts on victim organizations, including:
– Disruption of IT systems and operations: Encryption of files brought business operations and production lines to a halt at manufacturers, while hospitals had to cancel procedures and divert ambulances during attacks.
– Permanent data loss: In some cases, victims who refused to pay ransom found their data was deleted by the attackers. Complete data recovery was impossible.
– Reputational harm: Ransomware attacks carried publicity risks for victim organizations, harming consumer trust and investor confidence.
– High monetary costs: In addition to ransom payments, victims had to bear costs related to incident response, network rebuilding, lost revenue due to business interruption, and cyber insurance premium hikes.
– Compromise of sensitive data: Theft and leakage of customer data, medical records, and other confidential information occurred in some incidents.
Clop ransomware attacks resulted in over $100 million in estimated damages across all victims according to cyber authorities. However, the overall toll is likely much higher due to underreporting of incidents.
Shutdown of Clop Ransomware
In mid-2021, coordinated law enforcement action resulted in much of Clop’s infrastructure being taken offline:
– In June 2021, Ukrainian police arrested 6 alleged members of the Clop ransomware gang, seizing computers, cars, and cash.
– Prior law enforcement action in South Korea had identified IP addresses linked to Clop. These addresses were blocked, disrupting the ransomware’s distribution.
– Ukrainian authorities partnered with South Korean law enforcement and Cyber Command to finger Clop affiliates for arrest.
– Following the arrests, the data extortion sites used by Clop to pressure victims went offline. Clop’s activity plummeted.
– However, some cyber experts believe remnants of Clop may still be active under different aliases and infrastructure. Complete elimination is unlikely.
The disruption of Clop was welcome news to its many victims worldwide. However, new ransomware strains continue to emerge regularly. Maintaining robust IT security remains essential for organizations seeking to avoid becoming ransomware victims.
Conclusion
For a period of at least two years, Clop ransomware wreaked havoc on organizations across multiple industries worldwide. It encrypted hundreds of thousands of devices, causing extensive damage and extracting tens of millions in ransom payments. While concerted law enforcement action appears to have largely neutralized Clop, the ransomware threat remains high from other actors. Organizations must remain vigilant and follow cybersecurity best practices to detect and prevent ransomware attacks before they occur. Robust data backup and recovery capabilities are also critically important to minimize disruption in the event of a breach. With vigilance, investment, and cooperation across public and private sectors, the ransomware epidemic can hopefully be stemmed.