National Critical Infrastructure Under Attack: Clop Ransomware

John P. Gormally, SR
4 min readSep 9, 2022

--

On August 15, 2022, a U.K. water supplier suffered disrupted essential services within their corporate IT systems. The hackers used a remote access software platform that had been dormant for months.

This is another NCI nation-state ransomware attack.

The recent criminal cyber activity on the IT infrastructure on Monday caused a U.K. water supplier to experience a disturbance in its corporate IT systems. The company insists that its water delivery was unaffected. The UK water company confirmed they activated their continuity of operations plan and cybersecurity response plan, along with notifying the United Kingdom’s legal authorities.

According to a report on Bleepingcomputer, the Clop ransomware gang claimed responsibility for an attack on a U.K. water company. The cybercriminals claim the Thames Water and not South Staffordshire was the target. The fallout from the cyber attack against the UK water system

The SCADA systems were allegedly breached by the Clop ransomware, which threatened to harm the consumers of the UK water supply. Despite not encrypting the PCs of its victims, the gang claims to have accessed 5 Terabytes of data during the attack. Even with several layers of critical infrastructure controls, this type of activity continues to be a global problem, not just in the UK.

Clop ransomware continues to propagate globally

Clop is a ransomware variant of the CryptoMix developed in Russia. Clop employs several strategies to evade discovery and prevent analysis. To prevent the file from executing if it detects that it is running in an emulated environment, the virus uses anti-analysis and anti-virtual machine (VM) tactics. Additionally, the ransomware tries to deactivate Windows Defender and remove Microsoft Security Essentials.

Vulnerable Operational Technology(OT) systems at risk

As Industrial systems connect with the internet to leverage cloud analytics, the devices have become more vulnerable to cyberattacks. Industrial control systems (ICS) and the internet of things (IoT) are specifically vulnerable to cyber threats because of improper OT security systems and vulnerabilities within the product.

During production, critical infrastructure equipment such as intelligent building control systems, fire and safety systems, traffic control systems, intelligent lighting, telematics devices, industrial controllers, medical devices, and sensor systems are subject to attack because they do not get patched frequently.

The majority of operational technology (OT), internet of things (IoT), and industrial IoT (IIoT) devices are not designed to align with cybersecurity in mind.

Cybercriminals target the OT due to their weaknesses in protective security. According to a Ransomware report before crypto, the average ransom amount of Clop is currently $40,000. Ransomware attacks like Clop frequently cause longer periods of downtime than typical ransomware attacks.

The most expensive aspect of a ransomware event for many businesses is downtime. Phishing is the most common vector used for Clop Ransomware in the OT industry.

How does Clop Ransomware work in OT Systems?

The purpose of the Clop ransomware is to corrupt all critical files you put on your system and render them worthless. It does this by changing predetermined browser settings and operating several features. The ransom notice that appears when the victim attempts to access the corrupted file informs users of the encryption and provides instructions on paying the ransom, whether it be in Bitcoin or another cryptocurrency.

Understanding the attack surfaces

In the most recent versions of Clop, victims are forced to include the name and address of their employer in the email correspondence. Although we cannot be sure of the cause, it may be an effort to enhance victim track.

Junk attachments along with download links found in the email body did contain several harmful malware variants.

During the post-attack analysis, it was identified that Clop ransomware mimics the Ryuk ransomware and has similarities to BitPaymer. However, the code and functionality of this malware are very different from one another while sharing TTP with other ransomware families.

Prevention & Mitigation from Clop Ransomware

The potential impact of Clop Ransomware in OT is not limited.

Numerous techniques, including spam email attachments, trojans, URLs, cracks, unsecured Remote Desktop Protocol (RDP) connections, infected websites, etc., can be used to install the clop ransomware onto the system.

Airgap Networks has provided the Agentless Secure Access solution that provides an additional security layer with MFA and SSO for any device, management console, or specific host internal to the client’s network.

  • Airgap SAA provides legacy applications with a modern MFA authentication and HTML 5 experience specifically for RDP and SSH connections.
  • Airgap’s SAA provides a secure remote connection without the need to deploy a client agent on the endpoint.

Enabling Airgap Networks for Zero Trust Segmentation

The rise of ransomware is not the only concern for big businesses, but now small enterprises are also demanding ransomware protection for their organizations

  • Airgap Zero Trust Segmentation provides an incident response mechanism that centralized monitoring of all devices and stops ransomware attacks with Ransomware Kill switch Technology.
  • A zero-trust approach is required for these environments while ensuring their secure connectivity with the internet. Airgap Zero Trust Segmentation provides comprehensive asset visibility and zero trust policy enforcement across the entire traffic flow.

About Airgap Networks

Airgap Networks is the industry’s first Zero Trust agentless segmentation solution that works at the intersection of IT and OT to ensure your organization stays secure from external and internal threats. Based on Zero Trust principles.

Airgap’s comprehensive Zero Trust offerings form a formidable defense against adversaries. Airgap’s Secure Asset Access (SAA) solution ensures that only authenticated and multi-factor allowed (MFA) users can access confined resources. Airgap’s Zero Trust Isolation (ZTI) solution ensures that all your current or legacy assets are protected against lateral threat movement.

Based in San Jose, Calif., Airgap Networks delivers an Agentless Zero Trust Segmentation platform that rings fences at every endpoint and prevents ransomware propagation. Airgap’s unique and patented Ransomware Kill Switch™ is the most potent response against ransomware threats. And Airgap offers a scalable solution for remote access using Zero Trust principles. https://airgap.io

--

--

John P. Gormally, SR
John P. Gormally, SR

Written by John P. Gormally, SR

John P. Gormally is a fictional and non-fictional cybersecurity blogger and writer based in Lake Forest California.

Responses (1)