The Cl0p group has been active since early 2019, leveraging vulnerabilities and exploits to encrypt files for ransom. The ransomware group has recently targeted 43 organizations and exfiltrated sensitive details. This report highlights the breakup of the target organizations, trends observed of Cl0p ransomware in the last six quarters, the initial access leveraged along with CYFIRMA’s ETLM insights, the threat actors’ motives, and recommendations for organizations to prevent similar future incidents.
Cl0p ransomware group has published the names of the 43 targeted organizations on their ransomware leak site (the sample of exfiltrated data, however, is not yet available).
The following is the graphical breakup of the target organizations’ industries and geographies.
This breakdown gives a clear picture of the targets:
Below are the Cl0P ransomware attack trends for the past six quarters (including the current incident).
As part of initial access, it is suspected that Cl0p leveraged the Cleo vulnerability (CVE-2024-50623, CVSS (3.x): 9.8), which is critical to enable unrestricted file uploads and downloads that could lead to remote code execution (a situation which multiple security researchers have highlighted since December 2024). The exploit details of the vulnerability are publicly available.
Based on an OSINT search at the time of writing, it was observed that 1,600,000+ assets are using vulnerable software, which could render them potential targets.
Indicators of Compromise
The following are the IOCs observed in open source with regards to Cleo Vulnerability exploited by Cl0p ransomware.
| IOCs | Role |
| 185[.]181.230.103 | Scanning Host |
| 181[.]214.147.164 | Attacker IP embedded in encoded PowerShell |
| 176[.]123.5.126 | Attacker IP embedded in encoded PowerShell |
| 5[.]149.249.226 | Attacker IP embedded in encoded PowerShell |
| 209[.]127.12.38 | Attacker IP embedded in encoded PowerShell |
| 192[.]119.99.42 | Attacker IP embedded in encoded PowerShell |
| 176[.]123.10.115 | Scanning Host |
| 185[.]162.128.133 | C2 |
| 185[.]163.204.137 | Suspected IOC |
| 45[.]182.189.102 | Cobalt Strike server |
| 89[.]248.172.139 | Suspected IOC |
| 103[.]140.62.43 | Suspected IOC |
| 146[.]190.133.67 | Suspected IOC |
| 162[.]240.110.250 | Suspected IOC |
| 213[.]136.77.58 | Suspected IOC |
| 31e0439e6ef1dd29c0db6d96bac59446 | Cl0p Ransomware |
(Source: Surface Web)
Cl0p ransomware is associated with the suspected Russian Cybercriminal Group/Advanced Persistent Threat Actor ‘TA505’ – also known as ‘Evil Corp’ in North America. They are believed to have leveraged the services of Cl0p ransomware multiple times with the possible intent of espionage, monetary benefits, and retribution in geopolitical scenarios.
Our observation of this threat actor has highlighted the group’s proficiency in developing custom malware and attack tools, concocting innovative attack techniques, and working with a clear vision and gameplan while taking the time to avoid security measures and remain undetected within the compromised networks/systems for the longest time possible.
MITRE ATT&CK Techniques
| Tactic | Technique |
| TA0001: Initial access | T1190: Exploit Public-Facing Application |
| T1566.001: Phishing: Spear phishing attachment | |
| T1078: Valid accounts | |
| TA0002: Execution | T1059: Command and Scripting Interpreter |
| T1106: Native API | |
| T1204: User execution | |
| TA0003: Persistence | T1547: Boot or logon autostart execution |
| T1543.003: Create or modify system process: Windows service | |
| TA0004: Privilege Escalation | T1484.001: Domain Policy modification: Group Policy modification |
| T1068: Exploitation for privilege escalation | |
| T1574: Hijack execution flow | |
| TA0005: Defense Evasion | T1036.001: Masquerading: invalid code signature |
| T1562.001: Impair defenses: disable or modify tools | |
| T1140: Deobfuscate/Decode files or information | |
| T1070.004: Indicator removal on host: file deletion | |
| T1055.001: Process injection: DLL injection | |
| T1202: Indirect command execution | |
| T1070.001: Indicator removal on host: clear Windows event logs | |
| TA0007: Discovery | T1033: System Owner/User Discovery |
| T1082: System Information Discovery | |
| T1482: Domain Trust Discovery | |
| T1069: Permission Groups Discovery | |
| T1083: File and directory discovery | |
| T1018: Remote system discovery | |
| T1057: Process discovery | |
| T1012: Query registry | |
| T1518.001: Software Discovery: Security software discovery | |
| TA0008: Lateral Movement | T1550.002: Use Alternate Authentication Material: Pass the Hash |
| T1570: Lateral tool transfer | |
| T1021.002: Remote services: SMB/Windows admin shares | |
| TA0009: Collection | T1005: Data from local system |
| TA0010: Exfiltration | T1567: Exfiltration over web service |
| TA0011: Command and Control | T1071: Application Layer Protocol |
| TA0040: Impact | T1486: Data encrypted for impact |
| T1490: Inhibit system recovery |
YARA Rules
Following are the YARA rules which can be ingested in SIEM/SOAR solutions to identify any anomalies.
rule Suspicious_IPs_and_Hash {
meta:
author = “Cyfirma”
description = “Detects suspicious IP addresses and MD5 hash”
date = “2025-02-10”
strings:
$ips = “185.181.230.103” | “181.214.147.164” | “176.123.5.126” |
“5.149.249.226” | “209.127.12.38” | “192.119.99.42” |
“176.123.10.115” | “185.162.128.133” | “185.163.204.137” |
“45.182.189.102” | “89.248.172.139” | “103.140.62.43” |
“146.190.133.67” | “162.240.110.250” | “213.136.77.58”
$md5 = “31e0439e6ef1dd29c0db6d96bac59446”
condition:
any of ($ips*) or any of ($md5*)
}
Attacks on organizations using vulnerabilities and exploits as initial access highlight the need and prioritization of patching the vulnerable software and having a robust vulnerability management and patch management process in place.
Threat actors are very well aware of the timelines usually followed by organizations for patching and are poised to exploit the weaknesses in the vulnerabilities despite the risk rating to gain access to the organization’s network.
