CLOP ransomware is a type of malware that encrypts files on infected computers and demands a ransom payment in order to decrypt them. It first emerged in early 2019 and has continued to evolve and spread globally since then.
What is CLOP ransomware?
CLOP is a form of ransomware that is used to extort money from victims by encrypting files on their systems and demanding payment in order to decrypt them. Some key characteristics of CLOP ransomware include:
- Encrypts a wide variety of file types including documents, images, databases, archives, and more.
- Appends the .CLOP extension to encrypted files.
- Leaves ransom notes named “HOW TO BACK FILES.txt” or “HOW TO BACK FILES.html” containing payment instructions.
- Demands payment in Bitcoin cryptocurrency.
- Threatens to delete encryption keys and prevent file recovery if the ransom is not paid.
- Is operated by a Russian cybercriminal group known as TA505 or Sodinokibi.
Where did CLOP ransomware originate?
CLOP ransomware is believed to have first appeared in February 2019, distributed by a malware spam campaign. Researchers have attributed it to a notorious Russian cybercrime group called TA505, also known as Sodinokibi. This group has been active since at least 2014 and has spread other major ransomware families like Locky and Dridex.
The CLOP ransomware is likely developed and operated out of Russia based on the following evidence:
- TA505/Sodinokibi is known to recruit affiliates in underground Russian cybercrime forums.
- Ransom note texts contain Russian words and terms.
- Bitcoin wallets for ransom payments are often hosted on .ru domains.
- Victims are disproportionately located in former Soviet states.
Though it originated in Russia, CLOP has been used to target organizations globally in more than 60 countries.
How does CLOP ransomware infect systems?
CLOP ransomware relies on various methods to infect targeted computer systems, including:
- Phishing emails with malicious attachments like Office docs or archives containing malware installers.
- Compromised Remote Desktop Protocol (RDP) credentials that grant access to internal networks.
- Exploiting vulnerabilities in Internet-facing services like VPNs, web servers, or databases.
- Leveraging malware droppers like Emotet, TrickBot, or Qakbot to distribute CLOP.
- Purchasing access to already compromised devices via underground cybercrime forums and markets.
Once a system is infected, the ransomware encrypts files and displays ransom payment instructions. It attempts to disable security tools, delete Volume Shadow Copies, and take other steps to prevent file recovery.
Notable CLOP ransomware campaigns
Some major ransomware attacks attributed to CLOP include:
- Newfoundland and Labrador health care systems (2019) – Shut down health care IT systems across the Canadian province for several days.
- Campari Group (2020) – The Italian beverage company suffered an attack impacting operations in Europe, the Americas, and Asia.
- Atempo (2020) – The French data protection company had 3TB of data stolen and experienced major outages.
- Indian Internet Service Providers (2021) – Multiple ISPs including Net4India and Trimax faced significant service disruptions.
- Harris Federation (2021) – Dozens of schools across the UK were hit by an attack during the COVID-19 pandemic.
These and other cases demonstrate CLOP’s ability to infiltrate and paralyze large public and private sector organizations globally.
Where are CLOP ransomware attacks concentrated?
While CLOP has struck targets worldwide, it appears to be focused heavily on certain regions, industries, and organization types.
Regions
CLOP ransomware attacks have been concentrated in:
- United States
- Canada
- United Kingdom
- France
- India
- Australia
- Singapore
North America, Western Europe, and the Asia-Pacific region seem to be priority targets. Russia and former Soviet states are noticeably absent, likely because cybercriminals prefer not to draw law enforcement attention in their own backyard.
Industries
Organizations in these sectors have been heavily impacted:
- Healthcare
- Education
- IT Services
- Manufacturing
- Energy
- Financial Services
- Government
Ransomware groups often target these industries due to their sensitive data, downtime costs, and willingess to pay ransoms quickly. Healthcare in particular has been ravaged, with hospitals crippled during the COVID-19 pandemic.
Organization Size
CLOP seems to pursue a “big game hunting” strategy, targeting:
- Large enterprises
- Multinational corporations
- Major technology firms
- Critical infrastructure providers
These organizations likely have the resources and incentive to pay ransoms in the millions of dollars. Small businesses may not be ignored, but the operators seem focused on bigger targets.
Recent updates on CLOP ransomware operations
Researchers actively track updates on CLOP’s tactics, techniques, and procedures:
Shifting tactics in 2022
– Increased attacks on MSPs (managed service providers) to access their customer networks
– Leveraging Remote Monitoring and Management software like Kaseya VSA
– Exploiting Log4Shell and other vulnerabilities more aggressively
– Expanding initial access brokers and intrusion vectors
Increasing ransom demands
– Average CLOP ransom demand increased from $250,000 in 2020 to $2 million in 2022
– Operators threaten $50 million+ demands for large critical infrastructure targets
– Willingness to negotiate down varies based on victim profile
New malware delivery
– Distributing Hancitor/Chanitor malware to gain initial foothold in target networks
– Shifting from Ta505 botnets like Emotet to affiliate networks for distribution
– Partnership with ransomware gang Black Basta to provide larger attack infrastructure
Targeting oil and gas industry
– At least 6 major energy companies victimized in early 2022
– Leveraging high oil prices and geopolitical tensions to coerce victims
– Disrupting operations could impact global energy supply and prices
These updates provide insight into the group’s evolving tactics as it continues scaling up attacks worldwide.
Where are CLOP ransomware servers located?
The CLOP ransomware operators use servers located around the world to carry out their attacks, including:
- Command and control (C2) servers – Used to send commands and manage infections worldwide. Located primarily in Russia, Europe, and Iran.
- Data exfiltration servers – Receive stolen data from victims. Often hosted with bulleting hosting providers in Russia or free tiers of US cloud providers.
- Ransomware payment/negotiation portals – Located on .onion Tor sites for ransom payments and negotiations. Hosted on hidden Tor servers.
- Affiliate infrastructure – CLOP partners maintain infrastructure to gain initial access and deliver the ransomware. Located globally based on affiliate locations.
By distributing infrastructure globally and leveraging cryptocurrency, they attempt to evade law enforcement and maintain resilience. Russia/CIS, North America, and Western Europe appear to host the most critical attack infrastructure.
Known CLOP ransomware server locations
| Country | Servers/Infrastructure |
|---|---|
| Russia | C2 servers, data storage, payment portals |
| Iran | C2 servers, data storage |
| Indonesia | Affiliate access brokers |
| Singapore | Affiliate access infrastructure |
| United States | Cloud storage, servers, money mules |
| Netherlands | Bulletproof hosting, data storage |
| Ukraine | Affiliate access brokers and infrastructure |
How can organizations defend against CLOP?
Defense against advanced ransomware like CLOP requires layered cybersecurity measures including:
- Network segmentation – Isolate and firewall critical systems to limit lateral movement.
- Endpoint hardening – Use EDR tools and strict policies to lock down endpoints.
- Access management – Limit privileged access, enforce MFA, and monitor remote access.
- Email security – Block suspicious attachments, quarantine malware downloads.
- Vulnerability management – Rapidly patch known web, endpoint and network vulnerabilities.
- Backups – Maintain offline, immutable backups to enable quick recovery.
- User education – Train staff to recognize social engineering and phishing.
- Incident response plan – Have an IR plan in place for quickly responding to ransomware attacks.
Proactive measures coupled with solutions like firewalls, EDR, secure email gateways, and backup/recovery tools can help substantially lower risk against ransomware like CLOP.
Conclusion
CLOP ransomware remains a serious threat to organizations globally as attackers continue evolving new tactics, techniques, and procedures. While concentrated in certain regions and industries, ransomware knows no boundaries, as critical infrastructure like hospitals and schools have been targeted during the pandemic. By locating key attack infrastructure and understanding the group’s methods, potential targets can take proactive measures to harden security and minimize disruptions from ransomware attacks. Implementing layered defenses and having an incident response plan in place remain the best practices against CLOP and other ransomware threats going into the future.