Detecting Clop Ransomware

Splunk is committed to using inclusive and unbiased language. This blog post might contain terminology that we no longer use. For more information on our updated terminology and our stance on biased language, please visit our blog post. We appreciate your understanding as we work towards making our community more inclusive for everyone.

Their strategy is to send the malicious payloads via different methods, such as phishing emails, and spreading ransomware payload post-exploitation by exploiting exposed or related vulnerable systems. Actors behind this crimeware then present instructions on how to pay ransom and communicate further threats of exposure by publishing the sensitive information they obtained on a publicly accessible website.

Although this may appear as a new modality, in reality ransomware is usually the cherry on top of the cake, as malicious actors usually dwell, exfiltrate and qualify exfiltrated data, which eventually lands on dark web public forums, dark markets or private crime intelligence brokers where qualified financial, business and kompromat information is then priced and sold to the highest bidder.

^{*Source: Vericlouds}

The above is a simple example of how compromised information is brokered in dark markets. Some private crime intelligence brokers actually present specific company names and verticals. All this information comes from malicious campaigns; victims realize they have been compromised when they observe ransomware in their systems.

In the case of Clop ransomware, the perpetrators threaten to publish stolen information in a publicly accessible site via an onion router (Tor), as seen in the screen capture below.

The Attack

The actors behind Clop ransomware are financially motivated and clearly target several industry verticals. Ransomware is by nature a post-exploitation tool, so before deploying it they must infiltrate the victim's infrastructure. At the Splunk Threat Research team we decided to try this payload on our Splunk Attack Range Local, and this is what we found.

We first started by creating a local environment with a Windows Domain Controller.

We then simply executed the sample: d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.

Files were encrypted pretty quickly and added the .Clop extension. We can also observe the appearance of the ransomware note (ClopReadMe.txt).

The above screenshots show how quickly data is encrypted, and the victim is clearly warned not to attempt to decrypt. They are also threatened with all file deletion after a period of two weeks.

Reverse Engineering Breakdown

Sandbox Evasion

The Clop binary performs several checks, including running command arguments like “runrun” to enumerate and encrypt the network.

Defense Evasion

This ransomware has a defense evasion feature where it tries to delete all the logs in the infected machine to avoid detection.

Encryption

This ransomware uses the AES and rc4 algorithm to encrypt the file.

Infection

The binary makes sure only one instance of its code runs on the machine it creates a mutex. If the mutex already exists it will exit the process.

Kill Switch

Some variants of this malware contain a kill switch. The binary checks the keyboard layout of the infected machine and its locale identifier (language). In our sample analysis we found that it tries to skip infection or delete itself if the locale identifier or the keyboard layout is Georgian, Uzbek, Azeri, Kazakhstani or Kyrgyzstani.

Kill Switch Function

Encrypting Network Objects

The following thread is responsible for encrypting files within the network shares by using the following API of mpr.dll as seen below:

• WNetOpenEnumW
• WNetEnumResourceW
• WNetCloseEnum

Encrypting Drives By Type

The payload can encrypt files on three drive types (FIXED_DRIVE, REMOVABLE_DRIVE and REMOTE_DRIVE). This function allows the execution of encryption on pretty much any attached or mapped drives, including both local and attached, like a USB hard drive, for example, or remote drives usually mapped for backups and centralized data.

Deleting and Resizing Shadow Storage

Many ransomware variants target the Volume Shadow Copy Service, which is a feature of Windows that allows the operator to restore data from backup. The expected behavior is the deletion of the shadow copy storage. In this variant we found that it first deletes the files and then it resizes them in order to prevent the generation of shadow volume copies, which effectively impairs this service’s capabilities.

Encrypted. rsrc Section (Ransomware Notes and Resizing Shadow Storage)

The .rsrc section is the common place where the encrypted ransomware notes and some scripts are located. This figure shows how it enumerates or looks for the right resource data to decrypt the ransomware note and save it as ClopReadMe.txt.

Detections

The Splunk Threat Research Team has developed a new Analytic Story to detect a Clop ransomware threat; it consists of new and former detections, and you can use the following detection searches.

• Suspicious wevtutil usage
• Windows Event Log Cleared
• Common Ransomware Notes
• Deleting Shadow Copies
• Common Ransomware Extensions (New version)
• High Frequency of File Deletion (New)
• Clop Common Exec Parameter (New)
• Clop Deleting itself (New)
• Resizing Shadow Copies (New)
• Clop Known Service Name (New)
• Suspicious Service File Path Creation (New)
• Clop High Frequency Process Termination (New)
• High Frequency creation of ransomware notes (New)

Detection Searches Breakdown

• Common Ransomware Extensions

Variant A

Variant B

• High Frequency of File Deletion

• Resizing Shadow Copies

Raw Search

• Clop Common Exec Parameter

• Clop Deleting itself

• Clop Known Service Name

• Suspicious Service File Path Creation

• Clop High Frequency Process Termination

• High Frequency creation of ransomware notes

Variant B

Variant A

Hashes: SHA256

• 15f9ed36d9efc6e570b4f506791ce2c6a849853e2f6d587f30fb12d39dba2649
• 3d94c4a92382c5c45062d8ea0517be4011be8ba42e9c9a614a99327d0ebdf05b
• d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9
• 43e633a9a26287e9be7a4788d750258d64612e7b625ab5a3f0a9128469e99c2d

Defense

We can pursue further defensive actions by using the Splunk Phantom playbook Detect, Contain, and Remediate Ransomware, as shown in the following graphic.

This playbook is composed of the following steps:

• Get file: Downloads the file sample from a repository.
• Detonate file: Submits the file sample for sandbox analysis.
• Block IP: Configures your infrastructure to block access to IP addresses associated with the ransomware.
• Block hash: Configures your infrastructure to block access to files matching the hash of a malicious sample.
• Hunt file: Looks for indications of other infected devices in your environment.
• Terminate process: Terminates any instances of the malware actively executing.
• Quarantine device: Place the infected devices in quarantine to prevent it from infecting other devices.
• List connections: Examine a device’s active connections/add newly discovered malicious IPs to the block ip action.
• Disable user: Disable the user’s account to prevent further malware propagation.

Please download the Splunk ES Content Update app from Splunkbase™ and install the latest version of our content update, which includes the new ransomware analytic story focusing on Clop crimeware.

About the Splunk Threat Research Team

The Splunk Threat Research team is devoted to understanding actor behavior and researching known threats to build detections that the entire Splunk community can benefit from. The Splunk Threat Research team does this by building and open-sourcing tools that analyze threats and actors like the Splunk Attack Range and using these tools to create attack data sets. From these data sets, new detections are built and shared with the Splunk community under Splunk Security Content. These detections are then consumed by various Splunk products like Enterprise Security, Splunk Security Essentials and Mission Control to help customers quickly and effectively find known threats.