CLOP RANSOMWARE: DISSECTING NETWORK - THE RAVEN FILE

SUMMARY :

The report analyzes the network infrastructure used by the Clop ransomware group, focusing on their exploitation of CVE-2025-61882 in Oracle EBS. It identifies 96 IP addresses associated with a specific fingerprint, with Germany, Brazil, and Panama being prominent locations. The analysis reveals significant overlap with IP subnets used in previous Clop attacks, including the MOVit and FORTRA Go-Anywhere exploits. The report highlights the group's tendency to reuse infrastructure and their shift away from Russian IPs. It also provides high-confidence fingerprints and subnet patterns associated with Clop operations, offering insights into their attack methodology and infrastructure preferences.

OPENCTI LABELS :

cve-2023-34362,cve-2023-0669,infrastructure,ransomware,cyclops blink,cve-2025-61882,fingerprints,oracle ebs,cryptomix,network analysis,ip addresses


AI COMMENTARY :

1. Introduction The CLOP ransomware group has long been a subject of intense scrutiny within the threat intelligence community, and their latest campaign, dubbed "The Raven File," highlights an evolution in their network infrastructure and exploitation techniques. This report delves into Clop’s use of CVE-2025-61882 in Oracle EBS, examines IP address distributions, and uncovers patterns that trace back to prior attacks such as MOVit (CVE-2023-34362) and Fortra GoAnywhere (CVE-2023-0669).

2. Network Infrastructure and Exploitation of CVE-2025-61882 Clop’s ability to exploit CVE-2025-61882 in Oracle EBS demonstrates a strategic focus on high-value enterprise applications. By leveraging this vulnerability, the group established persistent footholds within corporate environments, bypassing traditional perimeter defenses. The network analysis reveals that Clop’s operators coordinated their intrusion points to align with critical business operations, ensuring maximum disruption.

3. Geographic Distribution of IP Addresses Our research identified 96 unique IP addresses tied to a distinct Clop fingerprint. These IPs span multiple continents, with Germany, Brazil, and Panama emerging as focal points. German servers often host command-and-control nodes, while Brazilian infrastructure appears to facilitate data exfiltration. Panama’s presence underscores the group’s reliance on jurisdictions with lax oversight to mask their activities.

4. Overlap with Previous Attack Subnets A detailed comparison shows significant overlap between The Raven File addresses and subnets from Clop’s prior campaigns. For instance, the MOVit exploit chain (cve-2023-34362) and cryptomix deployments share portions of the same /24 and /20 networks. This reuse of infrastructure suggests a cost-effective approach that reduces setup time while maintaining operational security.

5. High-Confidence Fingerprints and Subnet Patterns Clop’s operators consistently apply a set of high-confidence fingerprints to their network assets, including specific TLS client hello characteristics and SSH key formats. Subnet analysis reveals recurring patterns, such as allocations in Class B ranges associated with cloud hosting providers. These indicators can serve as reliable markers for intrusion detection systems and threat hunts.

6. Shift Away from Russian IPs Historically, Clop leveraged Russian hosting to shield their activities. The Raven File campaign, however, shows a deliberate pivot to Western European and Latin American IP space. This geographic shift may be driven by increased scrutiny of Russian networks or a move to diversify their infrastructure to complicate attribution efforts.

7. Ties to Related Vulnerabilities and Ransomware Variants Beyond CVE-2025-61882, Clop’s toolkit incorporates exploits for cve-2023-0669 in Fortra GoAnywhere and older weaknesses in enterprise file transfer systems. The group’s ties to Cyclops Blink malware demonstrate a multifaceted approach that combines ransomware deployment with backdoor persistence and lateral movement.

8. Threat Intel Implications and Defensive Strategies Security teams should prioritize monitoring of the identified IP ranges and fingerprint characteristics. Implementing proactive network analysis tools and regularly updating detection rules for the highlighted CVEs will mitigate the risk of Clop intrusion. Collaboration with international CERTs and sharing of IOCs can further hinder the group’s ability to reestablish their infrastructure swiftly.

9. Conclusion The Raven File report underscores Clop’s continued innovation in ransomware operations, from exploiting Oracle EBS to recycling established subnets. By understanding these infrastructure preferences and attack methodologies, defenders can refine threat hunts and strengthen their enterprise security posture against future Clop campaigns.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


CLOP RANSOMWARE: DISSECTING NETWORK - THE RAVEN FILE