Security researchers who have tracked Cl0p describe the group in blog posts and to Motherboard as a "criminal enterprise" that is "ruthless," "sophisticated and innovative," "well-organized and well-structured," and "very active—almost tireless." The group's recent victims include: oil giant Shell, security company Qualys, U.S. bank Flagstar, the controversial global law firm Jones Day, Stanford University, and University of California, among several others, all victims of a supply chain hack against Accellion, a company that provides a file transfer application.
"In our team there is no me, there is only us, as a rule, most people are interchangeable."
Cl0p published the name of the companies, and a sample of the stolen data, on its website, CL0P^_- LEAKS. As researchers from Talon, a division of South Korean cybersecurity company S2WLAB said in an email, "some companies are found to be removed on the data leakage page on the dark web," presumably because they paid the ransom. There are 52 companies on CL0P^_- LEAKS as of last week. These are presumably companies that have not paid the ransom requested by the hackers. Antonis Terefos, a researcher at Fox-IT who has studied the group, estimated that the group has hacked more than 150 companies.
Do you have knowledge of the inner workings of Cl0p or another ransomware gang? We’d love to hear from you. Using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, lorenzofb on Wickr, OTR chat at email@example.com, or email firstname.lastname@example.org
Goody said that Cl0p's ransomware has metadata in Russian language, and the hackers appear to stop their activities during Russian holidays. Moreover, she added, their malware is programmed to check if the infected computers use the Russian language character set, or keyboard layouts for countries in the CIS. If that's the case, the ransomware deletes itself. This is a true and tested strategy to avoid attracting the attention of authorities in Russia or other Eastern European countries, which are sometimes believed to tolerate cybercrime as long as it doesn't impact their own citizens. Despite these precautions, some believe Cl0p is getting a bit too popular for its own good. "They are getting too much attention, not a good thing. Last year, nobody was interested in them. Now, there are many reports writing about them and [law enforcement] cases ongoing," a security researcher, who asked to remain anonymous because he was not authorized to speak to the press, told Motherboard in an email. "Maybe they'll rebrand like other ransomware gangs did to get out of the focus. Maybe they continue to operate because they reside in a safe haven like a [Commonwealth of Independent States] country. Hopefully, their doors get kicked in one morning…"Terefos agreed."It's only a matter of time before they make a mistake which will help [law enforcement to identify its members," he said. Subscribe to our cybersecurity podcast, CYBER.
"It's only a matter of time before they make a mistake which will help [law enforcement to identify its members."