Double-Extortion Ransomware Attacks on the Rise with Clop and FIN11
Table of Contents
- By Dawna M. Roberts
- Published: Oct 15, 2020
- Last Updated: Mar 18, 2022
Cybersecurity experts are noting that cybercriminal gangs are diversifying with double-extortion ransomware tactics and using Clop as their tool of choice.
What and Who is Clop?
Clop is the name of a gang of cyber thieves and the name of their own brand of ransomware. Recently Clop used their malware targeting a huge German software company, Software AG.
In October, the gang breached the company's computer systems and accessed untold volumes of data. The company released a statement alerting customers, "While services to its customers, including its cloud-based services, remain unaffected, as a result, Software AG has shut down the internal systems in a controlled manner in accordance with the company's internal security regulations."
Unfortunately, a few days later, Software AG found out that the gang had downloaded customer data and threatened to release it online. The threat came in the form of a ransom note demanding $23 million.
Clop was first used and discovered in February 2019 by MalwareHunterTeam. This was when the new tactic of double-extortion began to emerge. These cyber gangs target large companies with deep pockets. They gain access to their systems, steal critical data, and demand that they pay a ransom. If the company refuses to pay, they release the data publicly online.
Before this recent and largest attack, Clop also targeted a biopharmaceutical company named ExecuPharm back in April. The company refused to pay, and the thieves leaked the data online.
The difference with Clop (the group) is that they target large, reputable firms rather than smaller organizations, which most hackers go after.
How Does Clop (the malware) Work?
In a recent article on McAfee's website, Alexandre Mundo and Marc Rivero Lopez explained in detail how the Clop malware/ransomware works.
"The Clop ransomware is usually packed to hide its inner workings. Signing a malicious binary, in this case, ransomware, may trick security solutions to trust the binary and let it pass." Evading anti-malware makes Clop very dangerous, and they also noted that if it is not installed successfully as a service, it terminates itself.
One of the most interesting and disturbing aspects is that the first order of business is that Clop maps the victim's keyboard against hardcoded values to check whether or not the user is Russian. Mundo and Lopez explained it as "The malware checks that the layout is bigger than the value 0x0437 (Georgian), makes some calculations with the Russian language (0x0419) and with the Azerbaijan language (0x082C). This function will return 1 or 0, 1 if it belongs to Russia or another CIS country, or 0 in every other case." The malware then performs a second check to determine if a Russian character set is installed or used.
If the malware encounters a 0, it continues to function. If not, it deletes itself. After ruling out the Russian component, Clop creates a folder called "Favorite." It then makes a dummy call to produce an error, essentially searching for antivirus software. If found, it goes to sleep for five seconds and then resumes.
McAfee mentions that the developers of Clop are not very good programmers and use simple batch files to get the job done; they explain, "The next action is to write this batch file in the same folder where the malware stays with the function 'CreateFileA,'" they said. "The file created has the name 'clearsystems-11-11.bat'. Later, will launch it with 'ShellExecuteA,' wait for five seconds to finish, and delete the file with the function' DeleteFileA." Mundo and Lopez added, "All these actions could have been performed in the malware code itself, without the need of an external file that can be detected and removed."
FIN11 Hacker Group Using Clop
The hacker group named FIN11 has been using phishing and credential stuffing to defraud victims and steal money. However, FireEye Mandiant's research team has noticed that this very prolific group has started to expand operations to include ransomware using Clop.
The malicious group has been around for about four years and have conducted countless phishing campaigns and even added point-of-sale (POS) malware to its repertoire.
As they evolve, they have recently added ransomware and changed their victimology from targeting companies in the retail space, financial institutions, and hospitality sector to a more widespread victim pool.
According to cybersecurity experts, FIN11 is a spin-off from the larger TA505 group (a.k.a. Hive0065), which has been around since 2014, targeting restaurants, finance, and retail businesses for financial gain. They are also responsible for a large percentage of the COVID-19 phishing emails.
FIN11 distinguishes itself by being a sophisticated crime group with vast resources. Mandiant researchers have theorized that "We believe that the group has used services that provide anonymous domain registration, bulletproof hosting, code signing certificates, and private or semi-private malware. Outsourcing work to these criminal service providers likely enables FIN11 to increase the scale and sophistication of their operations."
CISO of Netenrich, Brandon Hoffman, told ThreatPost that "There is a whole marketplace of providers that cater to and operate in what some refer to as the dark web. These services are not limited to the ones described as in use by FIN11 but include code-writing services, monetary exchanges, and more." Hoffman also added that "Broad-based phishing campaigns with the hope of hooking ransomware into an organization for the purpose of extortion, while leveraging malicious service providers, is at the basic footprint of cybercrime today."
Regardless of the methods used, everyone is at risk of identity theft if their information is stolen and leaked online.