Cl0p Ransomware Operations Go Quiet

Date:

October 25, 2023

World map

The Cl0p ransomware gang’s unprecedented campaign exploiting known vulnerabilities in the GoAnywhere and MOVEit file sharing programs spiked attack levers throughout the first half of 2023 and drove attacks levels to a new high in July.

Since then, the number of attacks fell dramatically in August, and then the group appears to have gone dark altogether in September.

“Cl0p would typically feature in at least the top 3 threat actors for activity in the month, however, as we alluded to in the August Threat Pulse, Cl0p kept a significantly lower profile with just three victims that month and have now completely vanished from our dataset in September,” SCMagazine reported researchers as saying.

Takeaway: Cl0p is a RaaS platform first observed in 2019 which displayed advanced anti-analysis capabilities and anti-virtual machine analysis to prevent investigations in an emulated environment.

Cl0p had dedicated a lot of resources to automating aspects of the attack progression by exploiting known vulnerabilities for initial access, by improving stealthy payload delivery, fine tuning evasion techniques, and to exponentially improving encryption speeds.

Cl0p attacks had typically included the delivery of a ransomware payload, but the group had more recently been observed shifting to straight data exfiltration and extortion in some of their more recent operations.  

Whether or not Cl0p has been successful in effectively monetizing these compromises to collect the ransom demands is still unclear, and perhaps this respite is an attempt by the group to basically “catch up” with all the compromised victims or the group is retooling.

Cl0p ransom demands varied depending on the target and averaged around $3 million dollars but have been reported to be as high as $20 million. Ransom amounts were anticipated to continue to grow as Cl0p focused more on the exfiltration of sensitive data.

It remains to be seen what will become of one of the most prolific attack groups to ever emerge.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.