TL;DR

There is a growing complexity of ransomware development and threat actors who are continuously adding different sophisticated techniques to their arsenal. When Michael Gillespie first discovered Clop ransomware on Feb. 8, 2019, the ransomware deleted only the shadow copy files in the affected system and encrypted all files demanding the ransom. With an updated version released in March 2020, the ransomware was capable of disabling services for Microsoft Exchange, SQL Server, MySQL and BackupExec. Clop is an up-and-coming, tier 2 Ransomware as a Service (RaaS) that started the double-extortion technique in March 2020, whereby in addition to encrypting data and demanding a ransom from the victim, the attackers also threaten to upload it online if their terms are not met. The attackers directly email the victim’s partners and customers warning them of the data exposure until the victim’s firm pays up.

** Get research and analysis, insight, plus hints and tips, on how to detect, manage, and respond to Clop ransomware in the main blog.

Head to the contents and click each section for quick navigation.

Santosh Nepal
Santosh Nepal

Security Analytics Engineer

Share This Story

There is a growing complexity of ransomware development and threat actors who are continuously adding different sophisticated techniques to their arsenal. One recent example is Threat actor TA505, which delivered a variant of Cryptomix ransomware and Clop ransomware as the final payload in financially motivated phishing campaigns that targeted high-profile companies.

When Michael Gillespie first discovered Clop ransomware on Feb. 8, 2019, the ransomware deleted only the shadow copy files in the affected system and encrypted all files demanding the ransom. With an updated version released in March 2020, the ransomware was capable of disabling services for Microsoft Exchange, SQL Server, MySQL and BackupExec. By November, the ransomware could evade detection by disabling Antivirus.

Clop is an up-and-coming, tier 2 Ransomware as a Service (RaaS) threat that started a double-extortion technique in March 2020. In addition to encrypting data and demanding a ransom, the attackers also threaten to upload it online if their terms are not met. In addition, Clop deployed new tactics called quadruple extortion to pressure victims to pay an extortion demand. The attackers directly email the victim's partners and customers warning them of data exposure until payment is made. Clop does not use the third phase (DDoS attack on your network) but directly implements the aforementioned fourth phase of quadruple extortion.

Clop ransomware fast facts:

  • Clop, a variant of Cryptomix ransomware, was first discovered in February 2019

  • A macro-enabled document delivers the payload via phishing with a modified Get2 loader to download SDBot, FlawedAmmy, and FlawedGrace

  • Vulnerabilities exploited: CVE-2021-27101 (SQL Injection) and CVE-2021-27104 (OS Command Execution) use /home/seos/courier/about.html, while CVE-2021-27103 (ServerSide Request Forgery) and CVE-2021-27102(OS Command Execution) use /home/httpd/html/about.html

  • RAT SDBbot uses application shimming for persistence and creates a registry value at either HLKM or HKCU locations

Clop attackers demanded more than $20 million in October 2020 from German tech firm Software AG. When Software AG refused to pay, the attackers leaked confidential company information on the dark web website, “__CLOP^__-LEAKS.” On June 16, 2021, Ukrainian law enforcement busted some Clop gang members, and after laying low for about a week, the Clop operation showed new activities by releasing data about two new victims. In November 2021, security researchers detected Clop operators exploiting the SolarWinds Serv-U vulnerability. Recently, in April 2022, Clop added 21 new victims to their data leak site resulting in a massive spike in their activity. On August 15, 2022, a U.K. water supplier had their essential IT services disrupted, an act claimed by the Clop ransomware gang.

Clop is one of the worst computer threats that establishes persistence of entries in the Windows Registry, which enhances the ability to hide in a Windows domain from implemented security procedures.

Detecting Clop using Logpoint

Since mid-December 2020, TA505 has exploited multiple zero-day vulnerabilities in Accellion’s legacy File Transfer Appliance (FTA) to install the DEWMODE, a newly discovered web shell.

In one of the approaches, attackers exploited multiple zero-day vulnerabilities in FTA through a SQL injection vulnerability (CVE-2021-27101). Attackers can use the vulnerability to send a request to the sftp_account_edit.php file and the Apache HTTP server logs can detect the resource marking a precursor of eval web shell being written to oauth.api.

request_method=GET (url ="*sftp_account_edit.php*" or resource = "*sftp_account_edit.php*")

When you use the DEWMODE web shell, you download requests for resources listed on the HTML page. CVE-2021-27101 (SQL Injection) and CVE-2021-27104 (OS Command Execution) use location /home/seos/courier/about.html, while CVE-2021-27103 (ServerSide Request Forgery) and CVE-2021-27102( OS Command Execution) use /home/httpd/html/about.html [T1505.003: Web Shell]. Logpoint can detect the request to the DEWMODE web shell with encrypted and encoded URL parameters.

request_method=GET (url in ["*/html/about.html","*/courier/about.html"] or resource in ["*/html/about.html","*/courier/about.html"])

Another prominent way to gain initial access is through phishing emails, where attackers send out a massive amount of spam emails and hope some recipients will click through, a tactic named Spray and PrayTA505 is best known for one of the largest malicious spam campaigns ever observed, distributing instances of the Dridex banking trojan, Locky ransomware, Jaff ransomware and The Trick banking trojan. TA505 ia a highly active threat actor that changes their emails and techniques frequently. Often, the emails originate from previously compromised accounts and use the compromised account signatures to pass spam filters. The emails seem legitimate and are difficult to detect.

Once the victim opens the phishing email and clicks the link, it redirects victims to the compromised website, followed by another redirection to attacker-controlled domains. Some domains malicious actors use are listed in the CLOP_DOMAINS list.

(domain in CLOP_DOMAINS or query in CLOP_DOMAINS)

Detecting execution of a malicious document

Victims can execute a malicious document in many different ways. In one such scenario, a macro-enabled document, delivered in a phishing email, uses a modified GET2 loader to download other tools such as SDBot, FlawedAmmy, and FlawedGrace, which delivers the actual payload. The ransomware is packed to hide its inner workings and signed with a certificate to appear legitimate. The signing of a malicious binary might trick security solutions into trusting the binary and letting it pass undetected. The Clop ransomware stops a large number of Windows processes and tries to disable or uninstall several security programs before it starts its encryption routine. This will lessen the probability of alert triggers and also can hamper taking backups.

Sometimes, the attachment redirects the victim to a CAPTCHA-protected TA505 XLS document, and the malicious document is downloaded. The reason for using CAPTCHAs is likely to hinder automated analysis by security counterparts. In a different course of events, phishing emails can also directly deliver malicious Microsoft Office products like PowerPoint, Excel and Word.

According to the HSS report, several domains are detected by various parties that are tied to C2 communication [T1105Ingress Tool Transfer] during request and callback. These important IoCs can be edited, and new values can be added to the list.

(url in CLOP_C2_DOMAINS or resource in CLOP_C2_DOMAINS)

Next, TA505’s Get2 loader downloads the malware of choice based on the response from the C2 server, which is a remote access trojan (RAT) SDBbot, which marks the ransomware deployment and enables lateral movement. SDBbot is used to deploy the other components and creates an auto-start execution point using an installer, uses RegCodeLoaderto to load the malware, and finally, the malicious RAT payload. Older versions of malware download included the FlawedAmmy framework.

According to Proofpoint, SDBbot actively exploits the system and makes use of application shimming for persistence. The installer creates a registry value at either of the HLKM or HKCU locations in software\windows. Sysmon-monitored registry events can help detect this event [T1546.011Application Shimming].

norm_id= 'WindowsSysmon' event_id =12 event_type="CreateValue" target_object="*\SOFTWARE\Microsoft\*"

The loader DLL components are written to unusual AppData locations depending on user privilege, creating persistence in the system. A reboot is required for persistence to take effect.

norm_id= WindowsSysmon event_id=11 path In ["*\AppData\*","*\System\*"] file IN ["mswinload.dll","mswinload0.dll"] -source_image IN ["*\OneDriveSetup.exe", "*\software_reporter_tool.exe", "*\csc.exe", "*\Local\Temp\mpam-*.exe"]

Also, persistence is maintained in the system under admin privilege when a shim database (SDB) is created to patch services.exe with the loader code and then installed with sdbinst.exe [T1546.011Application Shimming].

norm_id=WindowsSysmon event_id=1 image ="*\sdbinst.exe" command ="*.sdb*"

Some variants of Clop use batch files dropped by ransomware files to stop a large number of processes [T1059Command and Scripting Interpreter].

norm_id= 'WindowsSysmon' event_id=11 file IN ["*.bat","*.cmd"]

You can observe a large number of attempt events that attempt to stop, disable or delete various services [T1070Indicator Removal on Host].

norm_id = WindowsSysmon event_id=1 command IN ["sc*stop*","sc*config*disabled","sc*delete*","net*stop*"] file IN ["sc.exe","net*.exe"]

In antivirus evasion, one of the most common techniques is the use of registry events [T1562.001Disable or Modify Tools], as described in Sequterek.

norm_id =WinServer event_id=4688 "process" ="*\reg.exe" command in ["*add*\Software\Policies\Microsoft\Windows Defender\*"]

Trendmicro identified one variant where the service was installed and started based on the dropped executable.

norm_id = WinServer event_id=7045 path="C:\Windows" service="msdtcstef" file ="*.exe"

Another prominent characteristic you can observe in the case of a Clop infection is that it tries to inhibit the system recovery by deleting the shadow copy, deleting the Windows backup catalog, and modifying the boot configuration to disable Windows automatic recovery features.

The three actions are a telltale sign that ransomware has started on the infected machine. [T1490Inhibit System Recovery].

label="Process" label="Create" ("process" IN ["*\powershell.exe", "*\wmic.exe", "*\vssadmin.exe", "*\diskshadow.exe"] 
command="* shadow*" command="*delete*") OR ("process"= "*\wbadmin.exe" command="*delete*" (command=*systemstatebackup*) 
OR (command="*catalog*" command="*quiet*") )  OR ("process"="*\vssadmin.exe" command="*resize*" command="*shadowstorage*" command="*unbounded*")     

Searching for telltale signs that ransomware has started.

You can detect activities related to the Clop ransomware using IDS/IPS like Snort and Suricata.

norm_id IN [Snort, SuricataIDS] message IN ["ET TROJAN Possible Win32/Get2 Downloader Activity","ETPRO TROJAN Win32/Get2 Downloader C&C Checkin","ET TROJAN Win32/FlawedAmmyy RAT C&C Checkin","ET TROJAN FlawedGrace CnC Activity","ETPRO TROJAN Win32/SDBbot C&C Checkin"]

You can detect the execution of the Clop ransomware in Logpoint using the hash values of some known executables.

(hash IN CLOP_HASHES OR hash_sha1 IN CLOP_HASHES OR hash_sha256 IN CLOP_HASHES)

Incident investigation and response using Logpoint SOAR

Upon detecting traces of exploitation, analysts should isolate the host where the attack is taking place via a playbook and initiate an incident response playbook.

Detecting exploitation is simple and seamless because Logpoint is a unified SIEM+SOAR solution that uses an alert (SIEM event) to automatically trigger a SOAR playbook.

Compromise investigation

The necessary steps in investigating post-compromise activity include inspecting:

  • If any accounts have been compromised, passwords are changed or are receiving unusual logins, emails, or requests from any users.

  • Mass or targeted phishing or suspicious emails are being sent to employees.

  • Any traffic has been found between the compromised domains.

  • Unusual files have been downloaded.

  • Commands that have used generic evasion techniques.

  • Known vulnerabilities that are yet to be patched in the network.

  • Processes being attributed to suspicious parent processes or are being run from unusual sources like %TEMP%.

  • Credential dumping attempts.

  • Impacket use or attempts of use.

  • Disabling important features including but not limited to the crash dump feature.

  • Logs are being cleared.

  • Suspicious scheduled tasks are being created.

  • Unusual remote access tools (RATs) making connections.

  • Security settings are being changed rapidly.

In no way would monitoring for the listed activities eliminate the chance of being compromised, but would provide basic coverage of any attempt when added to existing company cybersecurity policies.

These playbooks provide operational procedures for planning and conducting cybersecurity incident and vulnerability response activities and detail each step for both incident and vulnerability detection.

The main playbook for investigation, with its multiple sub-playbooks, goes deep into detection and investigation if an attack has taken place.

Incident response

If and when an organization detects an active attack, it should always follow the already set internal organizational IT and security guidelines. Plenty of resources are available to create and follow. Some notable ones are provided by CISA, FBI, and frameworks by NIST.

With Logpoint, users can take the following actions for immediate responses to the attacks.

  1. Blocking IoCs: We have updated our IoC lists (alongside the alert releases) with hashes, domains, and IPs, which can be turned on as alerts and used to block as soon as they are detected in the network.

  2. Isolate the endpoints: When an attack is detected or a system is compromised, the immediate action should be to isolate the system, take proper logs, evaluate the situation and remediate.

Endpoint detection and remediation with AgentX

Logpoint AgentX is a lightweight application that transports logs and telemetry from endpoints (all servers, workstations, and applications) to the SIEM, and performs automated real-time investigation and remediation to threats with SOAR. With AgentX, security analysts get precise detection of malicious malware and the ability to respond to threats in endpoints.

Logpoint AgentX is available now: Contact your representative.

Isolate Endpoint Mitigation

The playbook checks if a host has been infected. If the result is true, the playbook attempts to isolate it using the endpoint agent and contain and quarantine it before it spreads to other machines.

The dependencies for the playbook include:

Integrations

  • Logpoint AgentX or other endpoint detection and response (EDR) tools

  • Antivirus

  • Threat intelligence

Block Indicators

This playbook is a do-all blocker. It checks if any IP, domain, URL, or host exists in a list of indicators of compromise, blocks them, and adds them to the blocked list.

The dependencies for th playbook include:

Integrations

  • Firewall / WAF

  • Logpoint AgentX or other EDRs

  • Antivirus

  • Threat intelligence

 Disable Service - Windows

This playbook is able to check in to the domain and disable the service in the specified machine via RDP.

The dependencies for the playbook include:

Integrations

  • Windows Server

Phishing Investigation

This playbook is able to check in to the domain and disable the service in the specified machine via RDP.

The dependencies for the playbook include:

Integrations

  • Virus Total - API

  • MaxMind - MaxMind GeoIP2

  • WhoIS - API

  • CyberTotal - CyCraft

  • Sub-playbooks

    • Check URL Reputation

    • Check Domain Reputation

    • Detonate URL - Generic

    • Detonate File - Generic

    • Block Email - Generic

    • Isolate Endpoint - Generic

    • Search and Delete Email

Best practices

Along with the given playbooks, organizations detecting potential APT activity in their IT or OT networks should:

  1. Secure backups and ensure your backup data is offline and secure. If possible, scan your backup data with an antivirus program to ensure it is free of malware.

  2. Collect and review relevant logs, data, and artifacts.

  3. Consider soliciting support from a third-party IT organization to provide subject matter expertise, ensure the actor is eradicated from the network, and avoid residual issues that could enable follow-on exploitation.

To get the best investigation and response in your organization, you need to adapt the Logpoint playbooks according to your environment. Contact Logpoint for tailor-made playbooks and queries.

Detecting signs of ransomware from common threat actors early is key

TA505 likely has a connection to FIN11, which is another major Clop ransomware operator. It is significant that FIN11 may be a spin-off group from TA505 with overlapping memberships or a remote possibility of belonging to the same cybercriminal group. Therefore, you must detect signs of ransomware and its common threat actors early to stop the cyberattack kill chain. Protecting your data by backing it up regularly on external drives or on a remote cloud can help minimize lockout during ransomware attacks. A key defense against these attacks can be achieved with cyber awareness and training and system patching. With Logpoint SIEM+SOAR and the new native endpoint response capability AgentX, analysts can investigate Clop and initiate the proper response.