• Home
  • Attack
  • Detect
  • Predict
  • Dataset
  • Contact Us
        • T1-24–01–S–N–CL
        • T2-24–01–S–N–CL
        • T3-24–01–S–N–CL
        • T4-24–01–S–E–M
        • T5-24–01–S–E–LM
        • T6-24–01–S–E–FH
        • T7-24–01–M–NE–CLM
        • T8-24–01–M–NE–CFHL
        • T9-24–01–M–NE–CLM
        • T1-24–02–S–N–CIKM
        • T2-24–02–S–N–CL
        • T3-24–02–S–N–CL
        • T4-24-02-S-E-M
        • T5-24-02-S-E-DL
        • T6-24-02-S-E-DEGN
        • T7-24-02-M-NE-CDEGLN
        • T8-24-02-M-NE-CDL
        • T9-24-02-M-NE-CLH
        • T1-25–01–S–N–CD
        • T2-25–01–S–N–CL
        • T3-25–01–S–N–CD
        • T4-25-01-S-E-FH
        • T5-25-01-S-E-CL
        • T6-25-01-S-E-CL
        • T7-25-01-M-NE-CDN
        • T8-25-01-M-NE-CLFH
        • T9-25-01-M-NE-CDFH
      • Model Description
      • Explainable AI
  • T4-24-02-S-E-M

  • Ransomware (Cl0p)

    Cl0p ransomware, first identified in 2019, is a sophisticated ransomware targeting large enterprises and organizations. It operates under a "Ransomware-as-a-Service (RaaS)" model, enabling criminal groups to distribute it easily. Cl0p employs a double extortion strategy, encrypting victim data while threatening to leak it to coerce payments. It infiltrates networks through methods like SQL injection, phishing, and exploiting vulnerabilities in servers, notably the Accellion FTA file transfer service. Despite international law enforcement efforts disrupting its operations, Cl0p continues to evolve with new variants and attack techniques.

    •  


  • OS IP Software Log collection
    time    		 Program
    runtime
    Attacker - - - 30 sec 80 sec
    Victim Ubuntu 22.04 192.168.56.106 -

  • Installation
  • python3 -m pip install rich pyfiglet

  • Usage
  • python3 run.py

  • MITRE ATT&CK Framework
  • Attack Tactic
    Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion
    Credential Discovery Lateral Movement Collection Command and Control Exfiltration Impact

  • Logs
  • ./log/2024_02_T4_{time}.log # YYmmdd_HHMMSS


  • References
  • [1] Kaspersky [What is cl0p ransomware?]
    [2] VirusTotal [09d6dab9b70a74f61c41eaa485b37de9a40c86b6d2eae7413db11b4e6a8256ef]
    [3] CTX [09d6dab9b70a74f61c41eaa485b37de9a40c86b6d2eae7413db11b4e6a8256ef]
    [4] MalwareBazaar [09d6dab9b70a74f61c41eaa485b37de9a40c86b6d2eae7413db11b4e6a8256ef]
    [5] Cl0p [Cl0p Ransomware: Active Threat Plaguing Businesses Worldwide]

  • ※ Click on the attack name to see a description and scenario for the attack
    • 2024 02
    • T1-24–02–S–N–CIKM
    • T2-24–02–S–N–CL
    • T3-24–02–S–N–CL
    • T4-24-02-S-E-M
    • T5-24-02-S-E-DL
    • T6-24-02-S-E-DEGN
    • T7-24-02-M-NE-CDEGLN
    • T8-24-02-M-NE-CDL
    • T9-24-02-M-NE-CLH
  • Copyright(C) 2024, KAIST Cyber Security Reserch Center. All Rights Reserved.