XenonStack Recommends

Security Intelligence

Clop Ransomware- A Dangerous File Encrypting Virus

Parveen Bhandari | 13 Aug 2022

Clop Ransomeware

What is Clop Ransomware?

Jakub Krustek discovered the "Clop" ransomware malware. This malware is programmed to encrypt data and rename files with the ".Clop" extension. For example, "sample.jpg" becomes "sample.jpg.Clop." After successful encryption, Clop creates a text file ("ClopReadMe.txt") and saves a copy in each folder. A ransom demand message is contained in the text file.

It uses the AES cipher to encrypt images, movies, audio, databases, and papers and then attaches the.CLOP or.CIOP file extension, preventing victims from accessing personal information. "sample.jpg" gets renamed to "sample.jpg.Clop," for example.
It can infect the majority of operating system versions, including Windows XP, Windows 7, Windows 8, Windows 8.1, and Windows 10.

How does Clop Ransomware work?

While Clop attacks vary widely, one trend stands out as particularly instructive in terms of affiliate tactics. It takes advantage of poorly configured Active Directory (AD) systems to compromise AD accounts with domain access. This gives attackers access to the kingdom's keys, allowing them to.

On the hacked endpoint and any other systems connected to it via AD, run remote commands such as WMI and PowerShell scripts.
Create new accounts or change system processes to maintain persistence on a compromised system. On start-up or log-on, threat actors could also execute instructions or initialize scripts on any networked asset connected via AD.

Clop attackers may quickly travel across infiltrated enterprises with these tools in their arsenal, deploying ransomware and locating victims.

It primarily targets organizations/institutions worldwide rather than individuals, which could indicate that malware attackers are concentrating their efforts on corporations due to their cash potential.

Clop ransomware attackers have recently stolen and encrypted confidential data from multiple firms, including backups, financial records, thousands of emails, and coupons.

How does Clop Ransomware affect systems?

  • CLOP ransomware spreads using various methods, including spam email attachments, trojans, URLs, cracks, unprotected Remote Desktop Protocol (RDP) connections, rogue websites, and so on.
  • It will try to disable antivirus applications such as Windows Defender and Malwarebytes and shut all files for encryption before stopping most Windows services.
  • Windows Defender disables behavior monitoring, tamper prevention, real-time protection, anti-spyware detection, and cloud detection by configuring various registry values.
  • When Tamper protection is activated, the Windows Defender is reset. It affects older PCs by uninstalling Microsoft Security Essentials and Windows Defender. Clop has administrator capabilities. Thus uninstalling any software is simple.
  • The malware generates a CIopReadMe.txt ransom message. The emails unlock@eqaltech.su, unlock@royalmail.su, and kensgilbomet@protonmail.com are included in the ransom note and can be used to contact the attackers for payment instructions.
Cyber Security Services
End-to-End Proactive Solutions for empowering Advanced Threat Protection and Intelligence with Real-Time Analytics, Cyber Security Services

Best Practices for preventing Clop Ransomware

  • Do not download or install programs from unfamiliar websites or links in unethical messages. Only use applications that have been downloaded from a reputable app store.
  • Never open attachments in unsolicited emails, especially if they are from persons on your contact list, and never click on a URL provided in an unsolicited email, even if it appears to be harmless. Close the email and go directly to the organization's website using your browser if the URL is authentic.
  • Install adblockers to protect yourself against exploit kits like Fallout, which are spread through malicious advertising.
  • External FTP connections are prohibited, and downloads of known offensive security programs are blacklisted. All operating systems and apps should be updated regularly.
  • Limit the use of Powershell/WSCRIPT. Ensure that the newest version of PowerShell is installed and that improved logging is enabled. Logging and transcribing of script blocks are enabled. Send the logs to a centralized log repository for analysis and monitoring.

Can Clop Ransomware be removed?

  • It may be possible to remove file encryption ransomware depending on the ransomware you're dealing with. Consider taking the following steps to do so.
  • To stop the ransomware from spreading, disconnect all internet connections.
  • Scan for dangerous files with your internet security program and then delete them. If you've been infected with screen-locking ransomware, this step may be more difficult.
  • You should then be able to decrypt your data with a decryption program. You can then restore your data if you have an external backup.

Summarizing Clop Ransomware

Clop ransomware is a well-known ransomware family that has infected businesses worldwide. SDBot, which TA505 uses, should be aware of how it can lead to the distribution of Clop ransomware. Like many other contemporary ransomware families, Clop maintains a leak site to increase pressure on victims and embarrass them into paying the ransom.

This Threat Assessment's indicators are accessible on GitHub, published to the Unit 42 TAXII feed, and may be seen using the ATOM Viewer.

Customers that use AutoFocus can evaluate additional activity by utilizing the Clop tag in addition to the options listed above.

What's Next: