A new variant of the CryptoMix Clop ransomware family claims to target entire networks instead of individual users’ machines.
Security researcher MalwareHunterTeam discovered the variant near the end of February 2019. In their analysis of the threat, they noticed that the ransomware came equipped with more email addresses than previous versions of CryptoMix Clop. They also noted that those responsible for the crypto-malware applied slight variations to their creation’s extension.
Signed & low detected (as usual), yesterday evening build of CryptoMix Clop ransomware sample: https://t.co/20KMkc3S9X
Again some changes in the note, and now it has 3 email addresses…
Also, new mutex and “messages” too.
cc @VK_Intel pic.twitter.com/1wv5zJTRNB
— MalwareHunterTeam (@malwrhunterteam) February 26, 2019
In its analysis of the new variant, Bleeping Computer observed that executables code-signed with a digital certificate were responsible for distributing the ransomware. This tactic gives the threat a sense of legitimacy, including in the eyes of some digital security software solutions.
Once executed, the variant begins by terminating various Windows services and processes. Doing so enables CryptoMix Clop to disable anti-virus software running on the computer. It also helps it close all files, thereby placing them in a state where they are easy to encrypt.
Lawrence Abrams, creator and owner of Bleeping Computer, discovered another interesting facet of the CryptoMix Clop variant at this stage in the infection process. As he explains in a blog post:
Another item noticed by BleepingComputer in this variant is that it will create a batch file named clearnetworkdns_11-22-33.bat that will be executed soon after the ransomware is launched. This batch file will disable Windows’s automatic startup repair, remove shadow volume copies, and then resize them in order to clear orphaned shadow volume copies.
The ransomware then encrypts the victim’s files and appends the .Clop (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by David Bisson. Read the original post at: https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/new-cryptomix-clop-ransomware-variant-claims-to-target-networks/