Countermeasures to Protect Against TA505 (CL0P Ransomware)

Russian threat group TA505, which operates CL0P ransomware, evolved in 2014 as a prolific zero-day vulnerability, Ransomware-as-a-Service (RaaS) organization.¹ TA505 primarily targets banking, healthcare and financial organizations. It is the largest phishing, spear phishing and malspam² distributor in the world. The threat group also operates an initial access broker store (IAB), which is used by other threat groups globally that want to purchase and/or access stolen credentials. IABs harvesting stolen credentials that can be reused by other threat actors has been one of the biggest new trends in 2023. According to many estimates, 25% of attacks in 2023 were the result of using stolen credentials,³ meaning that no malware or vulnerabilities were needed for the threat actor to penetrate the enterprise network. This is an astounding new form of tactics, techniques and procedures (TTP).

TA505 has emerged as one of the most sophisticated and prolific threat groups of 2023. Organizations can protect themselves by implementing countermeasures intended to mitigate risk.

Introduction to TA505 and Cl0p Ransomware

TA505’s TTPs are fairly straightforward, but the threat group has collected hundreds of millions of dollars from cryptocurrency payments and services it provides.⁴ In 2023, groups such as TA505 operate similarly to a Fortune 500 enterprise. These threat groups make decisions like any other organization, and operational changes and tactics are based on what increases profitability. They spend substantial amounts of money on research and development, and securing the best tools and expertise to perform the task at hand. TA505 has also been known to work with affiliate groups, such as during the 2023 MoveIt breach,⁵ that bring added value to its overall approach and help increase its return on investment (ROI).

TA505 phishes, spear phishes or utilizes an IAB to obtain stolen credentials, infects a machine using those credentials or by convincing a user to click a phishing link, releases a payload of malware (e.g., Cobalt Strike, Cl0p), establishes command and control, moves laterally, kills security applications and pivots to other machines using an internal remote desktop protocol (RDP). TA505 then deploys ransomware and various web shells (e.g., Lemurloot). At that point, encryption and data exfiltration occur very quickly. The group has historically conducted campaigns in the Asia Pacific region, Canada, India and the United States.

TA505 has developed a niche: finding and taking advantage of zero-day exploits. It has victimized more than 3,000 organizations in the United States and 8,000 worldwide.⁶ Millions of users’ confidential data has been exfiltrated by TA505 and offered for sale on the dark web. TA505 also maintains blogs where it provides updates on its victims and their stolen data. Media outlets often monitor these blogs to quickly learn of attacks.

TA505 also operates a dark web marketplace where it sells confidential data. Everything the group does is streamlined for financial gain.

Everything [TA505] does is streamlined for financial gain.

In June 2023, the US State Department announced a US$10 million reward to anyone with information linking TA505 to a foreign government.⁷ The bounty was a result of various ransomware groups targeting US critical infrastructure.

To fully understand the depth and breadth of TA505 and its impact, it is worth examining the strategies it uses. TA505 attack TTPs include:

• Internet-based RDP connections used to infiltrate enterprise networks
• Manipulation of known vulnerabilities (wherein patches have not been applied)
• Common penetration testing tools such as Cobalt Strike
• Malware tools such as Bart, Locky, Scarab, Philadelphia, Globelmposter, Jaff, GandCrab and Clop
• Use of stolen private keys from legitimate software to avoid detection by cybersecurity applications
• Use of stolen credentials (such as those purchased from an IAB)
• RaaS
• Banking trojans (e.g., Dridex, Amadey, Necurs) used to commit financial fraud
• Use of Active Directory (AD) misconfigurations and vulnerabilities to move laterally and escalate credentials
• Use of web shells to maintain persistence and spread malware
• Disabling of security tools

How to Reduce Risk From TA505 (and Other Threat Groups)

While the threats posed by TA505 are considerable, damaging and prolific, there are numerous countermeasures that can be deployed by organizations to mitigate risk posed by TTPs:

• Disallow any RDP connections to the Internet. Close all other unnecessary RDP ports internally. Do not allow the use of other remote tools from the Internet unless they are secure. Routinely audit all remote access methods and users. Only allow approved remote access solutions such as virtual private networks (VPNs) and virtual desktop infrastructure (VDI). Block all inbound and outbound connections on the remote access software ports at the network perimeter.
• Closely monitor logs of any required remote access software.
• Implement application controls to manage and control the execution of software that has not been approved.
• Disable end user Windows PowerShell and command-line capabilities.
• Ensure that PowerShell is current and remove any versions older than 5.0.
• Ensure that all PowerShell logging is robust.
• Conduct an annual account reconciliation. Check all network accounts to ensure that they are still needed and adhere to the principle of least privilege.
• Reduce the risk of credential compromise by:
  • Protecting the domain administrator (admin) accounts and preventing caching of password hashes
  • Never using plaintext credentials in scripts
• Implement a comprehensive, immutable recovery plan (consider a 3-2-1 strategy⁸). Practice and time the effort to recover.
• Use long passwords consisting of at least 8 characters. Require at least one number and one special character.
• Use a good password manager.
• Do not allow password hints.
• Lock accounts after 3 failed attempts to log in.
• Require password changes annually.
• Do not give end users admin access. Require admin access to install any software.
• Always use multifactor authentication (MFA).
• Keep everything patched. Patch as quickly as possible.
• Use network segmentation to prevent the spread or lateral movement of malware.
• Utilize a next-generation antimalware software tool to protect endpoints.
• Utilize a next-generation tool (e.g., managed detection and response [MDR], extended detection and response [XDR]) to ingest all endpoint logs and report events, incidents and anomalies.
• Disable any unnecessary ports.
• Immediately investigate all reported incidents.
• Ensure that antivirus applications are updated and used.
• Disable hyperlinks in emails.
• Ensure that all disks and backups are encrypted.

Conclusion

While there is no way to completely eliminate risk associated with a threat group such as TA505, employing the recommended countermeasures can help any organization substantially reduce risk associated with threat groups, IaBs and RaaS organizations.

Endnotes

¹ Canadian Centre for Cyber Security, “Profile: TA505/CL0P Ransomware,” Government of Canada, 11 July 2023
² Lenaerts-Bergmans, B.; “Introduction to Malware Spam (Malspam),” 19 July 2023
³ Secureworks, 2023 State of The Threat: A Year in Review, 2023
⁴ Ibid.
⁵ Cybersecurity and Infrastructure Security Agency, “#StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability,” USA, 7 June 2023
⁶ Ibid.
⁷ Abrams, L.; “US Govt Offers $10 Million Bounty for Info on Clop Ransomware,” Bleeping Computer, 17 June 2023
⁸ Castagna, R.; “3-2-1 Backup Strategy,” TechTarget

Patrick Barnett, CISA, CISM, CEH, CISSP, PCI QSA, PCIP

Is an incident response principal consultant for Secureworks. He has more than 30 years of experience as a cybersecurity professional and specializes in network engineering with a focus on security. In previous roles, he acted as chief information security officer (CISO) and chief information officer (CIO) and has served as vice president at a large financial enterprise. Barnett is driven by a passion for seeing cybersecurity done right and is committed to aiding organizations in defining proper policies, procedures and mechanisms to respond to security events of any size.