.svg)
.svg)
By Huseyin Can YUCEEL & Picus Labs August 22, 2022 Ransomware
|
Associated Groups |
Successor of CryptoMix ransomware Aliases - Cl0p Affiliates - TA505, FIN11, UNCA2546, UNCA2582 |
|
Associated Country |
Russia |
|
First Seen |
February 2019 |
|
Target Sectors |
Aviation, Banking, Energy, Financial Services, Government, Healthcare, Information Technology, Manufacturing, Retail, Technology, Telecommunications |
|
Target Countries |
United States, Australia, Brazil, Canada, Germany, Hong Kong, India, Mexico, Philippines, Singapore, Spain, Sweden, United Kingdom |
|
Business Models |
Ransomware-as-a-service (RaaS), Multiple Extortion |
|
Extortion Tactics |
File Encryption Data Leakage Threaten to Sell Stolen Information Threatening Top Executives and Customers |
|
Initial Access Methods |
Exploit Public-Facing Application Phishing External Remote Services Valid Accounts (Stolen Credentials) |
|
Impact Methods |
Data Encryption Data Exfiltration |
|
Application |
Vulnerability |
CVV |
CVSS |
|
Accellion FTA |
SQL Injection |
9.8 Critical |
|
|
Accellion FTA |
OS Command Execution |
7.8 High |
|
|
Accellion FTA |
SSRF |
9.8 Critical |
|
|
Accellion FTA |
OS Command Execution |
9.8 Critical |
|
|
Solarwinds Serv-U |
Remote Code Execution |
10 Critical |
|
MITRE ATT&CK Tactic |
Tools |
|
Execution |
Get2 Loader |
|
Persistence |
Cobalt Strike |
|
Defence Evasion |
SDBOT |
|
Discovery |
FlawedAmmyy RAT SDBOT |
|
Lateral Movement |
TinyMet |
|
Exflitration |
DEWMODE |
|
Impact |
Clop ransomware |
-
[1] “Get2.” [Online]. Available: https://attack.mitre.org/software/S0460/. (Accessed: Jul. 07, 2022)
-
[2] K. Arhart, “Cobalt Strike,” Cobalt Strike Research and Development, Aug. 19, 2021. https://www.cobaltstrike.com/ (accessed Jul. 06, 2022).
-
[3] “SDBbot.” [Online]. Available: https://attack.mitre.org/software/S0461/. (Accessed: Jul. 07, 2022)
-
[4] “FlawedAmmyy.” [Online]. Available: https://attack.mitre.org/software/S0381/. (Accessed: Jul. 07, 2022)
-
[5] Microsoft Corporation, “Trojan:Win32/TinyMet.” [Online]. Available: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/TinyMet&ThreatID=2147758560.(Accessed: Jul. 07, 2022)
-
[6] “Backdoor.PHP.DEWMODE.A.” [Online]. Available: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/backdoor.php.dewmode.a/. (Accessed: Jul. 07, 2022)
-
[7] F. Fkie, “Clop (Malware Family).” [Online]. Available: https://malpedia.caad.fkie.fraunhofer.de/details/win.clop. (Accessed: Jul. 07, 2022)
Share this article:
