34.Key AbstractDigital

"Variants of CL0p were initially only found on Windows systems, but the gang also developed a Linux variant toward the end of 2022, reflecting the diversity of endpoint operating systems used by modern businesses. In an interesting, flawed technical glitch, security researchers noted that the Linux version’s encryption is easily reversible using a simple decryptor."

CL0p is a notorious name on the ransomware scene, and with good reason. The gang’s members have been responsible for a series of high-profile attacks since security researchers first spotted their ransomware strain in the wild back in 2019. 

Our internal data shows that CL0p continues to cause havoc and will likely supplant LockBit as the top ransomware gang in 2023. Here is a deep dive into the CL0p ransomware and the gang’s attacks.

CL0p is the name given to a group of Russian-speaking threat actors who use a ransomware strain that appends the extension .CL0p onto encrypted system files. The gang’s members tweaked a previously used ransomware strain known as CryptoMix to create ransom.CL0p. The group is financially motivated and began its operations by targeting businesses earning at least $5 million in annual revenues.

Among the techniques used in traditional CL0p ransomware attacks are local file deletion, evading sandboxes, downloading tools from external URLs and halting system processes. Attacks commonly feature the Truebot tool, which collects and transmits information about the local system in addition to loading malicious shell code and other program modules. The popular adversary simulation tool Cobalt Strike helps CL0p threat actors expand their network access to multiple systems.