Research by: Daniel Frank
In the past months, the Cybereason Nocturnus team has been tracking the activity of the Clop ransomware, a variant of CryptoMix ransomware. The name “clop” comes from Russian or Bulgarian, and means “bug”.
Evolving Threat: TA505 have evolved their attack tactics, delivering Clop ransomware as the final payload on as many systems as possible in order to pressure the victim to pay the ransom – non-paying Clop victims’ data is being published on the Clop leaks site
Multi-Staged Attack: Before deploying Clop, two prior payloads are deployed to allow the attackers to move laterally within the compromised network before downloading and deploying the Clop ransomware.
High Severity: The Cybereason Nocturnus Team assesses the threat level as HIGH given the destructive potential of the attacks.
Detected and Prevented: The Cybereason Defense Platform fully detects and prevents the Clop ransomware.
In 2019, the TA505 group changed their main strategy into encrypting assets in a corporate network and demanding a Bitcoin ransom for the decryption key.
A more recent Clop attack was against AG, a large German software company. Their internal network was breached, and the attackers demanded more than $20 million ransom. In another case, the group attacked a South Korean retailer, demanding $40 million ransom this time, and threatening to leak 2 million cards in case the negotiation fails.
Moreover, the group maintains a site where they leak data of victims who did not pay the ransomware:
A Screenshot from the Clop leaks website
The infection chain is as follows, and depicted below: First of all, when a malspam campaign is launched, emails are sent to victims from compromised accounts, thus increasing their credibility. The emails contain an HTML attachment that redirects to a compromised website.
It then delivers a document containing a malicious macro that drops the Get2 loader. Get2 downloads and executes SDBbot, FlawedGrace or FlawedAmmy. In this scenario, SDBbot moves laterally within the compromised network, exfiltrates data, and finally downloads and deploys the Clop ransomware on as many systems as possible:
The Clop attack tree
The Clop ransomware is initially packed and compressed. It unpacks a shellcode to resolve several APIs such as GetProcAddress and VirtualAlloc:
The shellcode responsible for loading the compressed PE
The shellcode then allocates memory and writes an aPLib compressed PE. It can be recognized by the first bytes, M8Z:
The compressed PE as seen in memory
Once the unpacked and decompressed payload is revealed, Clop has some indicative mutexes in its variants. After creating the mutex, BestChangeT0p^_-666 in this case, Clop searches for various security products installed on the victim’s machine, and uninstalls or disables them if necessary to avoid being detected or terminated:
Disabling Malwarebytes’ Anti-Ransomware notifications
In the example above, Clop searches for Malwarebytes anti ransomware protection and disables its notifications so the user will not be alerted. Below, if an ESET product is detected, it will be uninstalled using the command line:
Uninstalling an ESET Security product
Other newer variants disable Windows defender through silent command line modification of registry keys, and is also uninstalling the Microsoft Security Essentials client. Cybereason detects the malicious sample execution together with all of the listed commands:
Disabling Windows Defender as seen in the Cybereason attack tree
One of the Clop variants encrypts the files by generating an RSA public key, retrieving its first 127 bytes and using them as the RC4 key, adding the Clop^_- header and the RC4 encrypting it again. Once the files are encrypted, the Clop extension will be added to each encrypted file:
A file encrypted by Clop together with the ransom note
In addition, a ransomware note is placed in the folder:
Clop’s ransom note content
Cybereason Detection and Prevention
The analyzed sample below, a newer variant of Clop, disables Windows Defender in the beginning of its execution. Cybereason detects the malicious commands executed to silently modify related registry keys:
Windows Defender registry keys modification as seen in Cybereason
When Cybereason anti-ransomware prevention is turned on, the execution of the sample is successfully prevented:
Prevention of Clop’s execution in Cybereason
Indicators of Compromise
MITRE ATT&CK BREAKDOWN
*** This is a Security Bloggers Network syndicated blog from Blog authored by Daniel Frank. Read the original post at: http://www.cybereason.com/blog/cybereason-vs.-clop-ransomware