CLOP RANSOMWARE: DISSECTING NETWORK - THE RAVEN FILE
Essential information
- Published
- 05/11/2025 09:38
- Modified
- 05/11/2025 10:58
- Tags
- 2025-11-05 CVE-2023-0669 CVE-2023-34362 CVE-2025-61882 cryptomix cyclops blink fingerprints infrastructure ip addresses network analysis oracle ebs ransomware
- Related entities
- 200 observables, 1 intrusion sets (apt), 17 techniques (mitre), 2 malware, 10 others
Description
The report analyzes the network infrastructure used by the Clop ransomware group, focusing on their exploitation of CVE-2025-61882 in Oracle EBS. It identifies 96 IP addresses associated with a specific fingerprint, with Germany, Brazil, and Panama being prominent locations. The analysis reveals significant overlap with IP subnets used in previous Clop attacks, including the MOVit and FORTRA Go-Anywhere exploits. The report highlights the group's tendency to reuse infrastructure and their shift away from Russian IPs. It also provides high-confidence fingerprints and subnet patterns associated with Clop operations, offering insights into their attack methodology and infrastructure preferences.