Profile: TA505 / CL0P ransomware

July 11, 2023

Executive summary

CL0P ransomware (sometimes presented as CLOP, Clop, or Cl0p) was first observed in Canada in February 2020. It is operated by the cybercriminal group TA505 (A.K.A. GRACEFUL SPIDER, Lace Tempest, Spandex Tempest, DEV-0950, FIN11, Evil Corp, GOLD TAHOE, GOLD EVERGREEN, Chimborazo, Hive0065, ATK103), which has been active since at least 2014.Footnote 1

In May 2023, CL0P/TA505 began exploiting zero-day exploits in MOVEit Transfer, a widely used managed file transfer solution. Through this exploitation, they victimised a significant number of organizations, including several US government agencies.Footnote 2

The Canadian Centre for Cyber Security (Cyber Center) assesses that TA505 will very likely continue to pose a threat to Canadian and international organizations into 2024. However, there is a roughly even chance that TA505 will temporarily pause ransomware operations in an attempt to evade law enforcement in the short-term. In the mid-term, TA505 will likely continue to use CL0P ransomware and will also likely develop new tactics, techniques and procedures (TTPs) to aid their cybercriminal activities.

Overview

CL0P ransomware is operated by the cybercriminal group TA505. The Cyber Centre assesses that TA505 is almost certainly a financially motivated, Russian-speaking, ransomware-as-a-service (RaaS) cybercrime group that is very likely based in a Commonwealth of Independent States (CIS) country. A RaaS cybercrime group maintains the good functioning of a particular ransomware variant, sells access to that ransomware variant to individuals or groups of operators (often referred to as “affiliates”), and supports affiliates’ deployment of their ransomware in exchange for upfront payment, subscription fees, a cut of profits, or all three.

TA505 has been active since at least 2014. In addition to operating the CL0P RaaS, TA505 has also operated as:

  • an affiliate or developer of other RaaS operations including LockBit, Hive, Locky Ransomware, and REvil
  • an initial access broker, selling access to compromised corporate networks
  • a large botnet operator, specializing in financial fraud and phishing attacks, involving use of the Dridex banking trojanFootnote 3

CL0P ransomware was first observed in 2019 internationally. It is possibly an evolution of CryptFile2, CryptoMix, and Work ransomwares.Footnote 4

Notable tactics, techniques and procedures (TTPs)

Several third parties have published detailed analyses of TTPs associated with various iterations of CL0P ransomware.Footnote 5

CL0P/TA505 have been reported to use TrueBot. TrueBot is a botnet used by malicious cyber groups to collect and exfiltrate sensitive data from its target victims for financial gain. Open-source reporting indicates that cyber threat actors are using both phishing campaigns with malicious redirect hyperlinks and CVE-2022-31199 (a critical remote code execution vulnerability in the Netwrix Auditor software) to deliver new TrueBot malware variants. TrueBot is used during the initial stages of a ransomware attack to collect victim information and enable the threat actor to deploy CL0P ransomware onto a victim’s network.Footnote 6

CL0P/TA505 have reportedly leveraged MOVEit Transfer zero-day exploits. On June 7, 2023, the US Cybersecurity and Infrastructure Security Agency (CISA) and the US Federal Bureau of Investigation (FBI) released an advisory stating the following:

  • Beginning May 27, 2023, CL0P began exploiting a previously unknown SQL injection vulnerability (CVE-2023-34362, [see Table 1]) in Progress Software's managed file transfer solution known as MOVEit Transfer.
  • Internet-facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT, which was then used to steal data from underlying MOVEit Transfer databases.Footnote 7

The US National Institute of Standards and Technology (NIST) published technical guidance on CVE-2023-34362 stating that “a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database”. The NIST rated CVE-2023-34362 a 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS).Footnote 8

Progress Software has released several patch and remediation instructions to address the common vulnerabilities and exposures (CVEs) associated with the above mentioned zero-day exploits in MOVEit Transfer:

TA505 had previously conducted similar zero-day-exploit-driven campaigns against Accellion File Transfer Appliance devices in 2020 and 2021, and Fortra/Linoma GoAnywhere MFT servers in early 2023.Footnote 7

MOVEit transfer campaign against the US government and other victims

Several US government agencies were affected by cyber intrusions related to MOVEit Transfer vulnerabilities, as reported by media on June 15, 2023. CISA indicated that they were providing support to several affected agencies to “understand impacts and ensure timely remediation”. CL0P/TA505 have claimed responsibility for these attacks and further claim to have erased any data that they extracted.Footnote 9

Many other organizations were also victimized by CL0P/TA505 using MOVEit Transfer exploits beginning in May 2023. CL0P/TA505 claimed on June 6, 2023, that they would begin to publish data stolen from “hundreds of companies” during this campaign beginning on June 14 if ransoms were not paid.Footnote 10

CL0P/TA505 claimed responsibility for the MOVEit Transfer attacks, posting a notice on their Dedicated Leak Site (DLS).Footnote 11

On June 16, 2023, the US State Department announced a reward of up to $10 million USD for information “linking CL0P Ransomware Gang or any other malicious cyber actors targeting U.S. critical infrastructure to a foreign government”.Footnote 12

Conclusion

CL0P has presented a threat to Canadian and international organizations since at least 2019, while TA505 has presented a threat since at least 2014. TA505 is an enduring threat group which has not only outlasted but also leveraged other cybercriminal organizations. Beginning in May 2023, CL0P/TA505 intensified malicious activity against organizations worldwide through the exploitation of zero-day exploits in MOVEit Transfer.Footnote 7

The Cyber Centre assesses that TA505 will very likely continue to pose a threat to Canadian and international organizations into 2024. However, there is a roughly even chance that TA505 will temporarily pause ransomware operations in an attempt to evade law enforcement in the short term. In the mid-term, TA505 will likely continue to use CL0P ransomware and will also likely develop new TTPs to aid their cybercriminal activities.

Date modified: