When Clop was discovered by Jakub Kroustek in February 2019, all indicators showed that it was a new CryptoMix with the .CLOP, or in some circumstances .CIOP, extension tagged onto encrypted files. Since this discovery, the ransomware operators behind Clop have steadily been developing it to move beyond the shadow of merely being a variant of CryptoMix. Soon after Clop’s discovery, it could be argued that the ransomware already could be recognized as a threat in its own right.
Versions of CryptoMix started gaining traction with hackers in 2016, when a variety of campaigns were seen in the wild. Initially, CryptoMIx was described as a “barebones ransomware”—rather than presenting the victim with a graphic interface or webpage, the victim is given a text file explaining that their files have been encrypted and a ransom has been demanded. Also, where many ransomware variants provide a payment portal for easier ransom payments, CryptoMix merely provides the details in the ransom note. The term “bare bones” may be misleading in the sense that readers may feel that it is less of a threat, but such an assumption is dangerous—using a webpage or graphic interface to inform the victim of the ransom is a nice flourish but has very little to do with the ransomware’s encryption capabilities. CryptoMix uses both RSA and AES encryption algorithms.
CryptoMix has done a good job of flying under the radar since its discovery. While it has been active, it never seemed to gather the public’s attention like Dharma or GandCrab. Whether by design or the fickle nature of media attention, either point has strong arguments. Given that CryptoMix has traditionally demanded high payments, at the time of its discovery most hackers were demanding an average of $700 U.S. while Cryptomix demanded as much as $35,000 U.S., so it is a wonder why the variant garnered such little attention.
CryptoMix also traditionally has been spread via email campaigns; however, in 2019 a campaign was discovered using brute-force tactics to gain access to public-facing remote desktop protocol (RDP) ports. Once access was achieved files and devices would be encrypted and another text file, a ransomware note, would be delivered. The file contained six email addresses and the instruction was that the victim should reply to all six addresses. What made this campaign unique is that the attackers attempted to pull on the heartstrings of victims by claiming to be part of a children’s charity helping children with cancer. It was discovered that the operators merely took the children’s images of legitimate crowdfunding websites (without user permission, of course).
While the campaign discussed above has very little to with Clop, it is a reminder of the depths cybercriminals will sink to try and extort ransom amounts from victims. Clop also has some sneaky tactics it can draw on, but at the time of writing those behind the ransomware had not used images of sick children in an attempt to extort cryptocurrency.
The beginnings of any malware often are clouded in mystery. Only after months of analysis with researchers analyzing samples and campaigns seen in the wild does a picture of the malware come into sharper view.
Files encrypted by Clop ransomware:
Ransom demanding message of Clop ransomware:
Kroustek discovered what appeared to be a CryptoMix variant using the .CLOP extension in February. In March news reports emerged verifying his discovery. One article covered how the attackers were using the variant to attack entire networks rather than individual computers. The variant’s discovery was also verified by the MalwareHunterTeam and analysis revealed more than a few changes to previous CryptoMix variants. For one, the executables had been code-signed with a digital signature. This is a tactic often employed by hackers to make the executables appear legitimate and non-malicious to avoid antivirus software detection. In addition, the ransomware when started will forcibly stop a number of Windows processes and services to close any antivirus software and files targeted for encryption by the code. These processes shut down by the malware include Microsoft Exchange, Microsoft SQL Server, MySQL and BackupExec.
Another addition included a batch file that is executed when the ransomware is launched. The file will disable Windows’ automatic startup repair, remove shadow volume copies and then resize them to clear orphaned shadow volume copies. This will render some backups made by the operating system practically useless and would further force the victim into paying the ransom amount. Once encryption is complete, the ransom note is created called CIopReadMe.txt that claims the host in the network has been encrypted. At the time of the campaign, it was not yet known if this was indeed the case. There was little to no evidence that the ransomware could self-propagate and spread laterally across a network. However, if the attack was conducted via RDP then the attackers could manually spread laterally.
Clop Steps Out of the Shadow
Clop continued to be viewed solely as a CryptoMix variant for the rest of 2019. Despite the changes made by the variant it still used CryptoMix’s codebase and similar tactics to infect victims. Its activity was steady but never reached levels that demanded the attention of researchers or the media. However, in November another campaign surfaced that would help differentiate Clop from the family of its birth: Late in the month news articles reported that the Hospital Center University De Rouen in France and the University of Antwerp in Belgium had suffered a ransomware attack which impacted on services.
It appeared that the ransomware in question was Clop as the encryption extension was again .CLOP, the ransom note was CIopReadMe.txt and the note was signed “Don’t Worry C|0P.” Further analysis by researchers also revealed that Clop had another useful feature designed to evade detection and enable encryption of targeted files—Clop would attempt to disable Window’s Defender and remove Microsoft Security Essentials and other anti-ransomware applications. By this stage, an important semantic change happened, with researchers referring to Clop as its own malware rather than calling it a CryptoMix variant.
As mentioned above, the new variant of Clop looks to disable Windows Defender. It does this by attempting to configure various Registry values that are responsible for behavior monitoring, real-time protection, sample uploading to Microsoft, Tamper Protection, cloud detections and antispyware detections. Clop disables those security features so the encryption process can occur without being detected. Windows 10 comes with an added security feature called Tamper Protection, which will revert Windows Defender back to its default settings if they are changed and preventing it from being disabled. In earlier versions of Windows, however, Defender will be disabled by the malware.
In addition, Clop uninstalls Microsoft Security Essentials. This added feature derives from CryptoMix’s ability to run with administrator privileges and allows Clop to remove certain applications with a command, including Security Essentials. Again, this tactic was used to target specific anti-ransomware products developed by third-party companies using a specific command. What is odd about this, however, is the fact that Microsoft Security Essentials had been retired by the time the campaign was in the wild. However, given that many systems running on a corporate network feature old and out-of-date software, this feature may assist in encrypting files without being impeded even by older software.
Clop’s Latest Iteration
Reports of Clop’s most recent campaign began emerging in early January. No longer was Clop seen as merely a CryptoMix variant but a specific ransomware in its own right. What is interesting about the latest campaign is that Clop now includes an integrated process killer specifically designed to go after processes belonging to Windows 10 apps, text editors, programming IDEs and languages and Office applications. The latest variant looks to terminate more than 600 processes before the encryption process begins.
The latest variant was discovered late in December. While not uncommon for ransomware to end processes to evade detection and encrypt files that are open and running, by terminating 663 processes Clop is certainly looking to do all it possibly can to meet these ends. In the past, this was limited to Windows security and Office processes; however, the new variant looks to terminate specific processes belonging to Android Debug Bridge, Notepad++, Everything, Tomcat, SnagIt, Bash and Visual Studio. Even the new Windows 10 Your Phone app has also been targeted. The new variant also uses an entirely new .Clop extension, according to researchers.
In November it was believed that the APT group TA505 was using Clop as its ransomware of choice to drop onto infected networks as a final payload after compromising a targeted network. This tactic has been adopted by other groups, namely those dropping Ryuk, BitPaymer and DoppelPaymer. This tactic is in accordance with modern ransomware tactics that look to attack large corporations and government organizations, which often have large and complex networks, and has proved far more successful than targeting individual PCs as often companies have a lot to lose and feel more obliged to pay the ransom.
Is Clop’s End in Sight?
Given the continued time put into Clop to extend its capabilities and increase its effectiveness, the likelihood of Clop disappearing of the cybersecurity map is incredibly unlikely. Rather, it would seem that Clop will continue to evolve and look to remain under the radar as much as possible when compared to its more famous cousins Ryuk and Sodinokibi, the latter often sharing the lion’s share of media attention and often going after larger targets. Clop seems focused on universities, hospitals and smaller businesses on the European continent for the moment. However, as with all malware and those behind them, tactics are prone to change rapidly and often attacks go where the perceived monetary value is the highest.