Cyble – Cl0p Ransomware: Active Threat Plaguing Businesses Worldwide

Cl0p Ransomware Victim Count Continues to Climb at an Alarming Rate

In 2019, Cl0p Ransomware surfaced as a Ransomware-as-a-Service (RaaS) model and became notorious due to its advanced techniques. Its main target was larger organizations with an annual income of USD 5 million or higher. The Threat Actors (TAs) infiltrate the targeted systems and encrypt the files, demanding a ransom to be paid in exchange for the decryption key.

Cl0p Ransomware is a successor to CryptoMix ransomware, which is believed to have originated in Russia and is frequently used by various Russian affiliates, including FIN11. This group is known for its attacks on various organizations and institutions, including universities, government agencies, and private companies. Like other ransomware groups, Cl0p’s main objective seems to be financial gain, which they achieve through the double extortion strategy. 

Using this approach, TAs exfiltrate sensitive information first and then encrypt it. If the victim refuses to pay the ransom, the attackers threaten to disclose the data on their dark web leak site. This puts extra pressure on the victim to pay the ransom to prevent the release of their sensitive information.

Figure 1 illustrates the geographical distribution of Cl0p ransomware victims since January 2023, with a total of 104 victims worldwide.

Figure 1 – Geographical Distribution of Cl0p Ransomware Victims since 2023
Figure 1 – Geographical Distribution of Cl0p Ransomware Victims since 2023

The Cl0p ransomware gang aims to victimize a broad range of targets, including IT & ITES, BFSI-focused entities, Healthcare providers, Professional Services, and Government organizations.

The figure below shows the industries targeted by Cl0P Ransomware.

Figure 2 Industries Targeted by Cl0p Ransomware
Figure 2 – Industries Targeted by Cl0p Ransomware

The United States appears to be the primary target of the Cl0p ransomware group, with a significant number of their victims located in this country, as illustrated in the figure below.

Figure 3 Countries Targeted by Cl0p Ransomware
Figure 3 – Countries Targeted by Cl0p Ransomware

Initial Infection

Cl0p Ransomware spreads through various methods, such as phishing emails that contain harmful attachments or links, unprotected RDP, and exploit kits. Once it infects a computer, it promptly begins encrypting files and presenting ransom notes that demand payment in exchange for the decryption key.

Technical Analysis

The analyzed malware sample is an executable file with a Graphical User Interface (GUI), compiled using Microsoft Visual C/C++. It has a SHA 256 hash value of “46cd508b7e77bb2c1d47f7fef0042a13c516f8163f9373ef9dfac180131c65ed”, as illustrated in the accompanying figure.

Figure 4 Static File Details
Figure 4 – Static File Details

Upon initial analysis, it was observed that the Cl0p Ransomware could be launched using three distinct methods:

  1. Executing it with the runrun parameter, which would solely encrypt the network drives.
  2. Using a file “temp.ocx“ as a parameter that contains a list of the files to be encrypted  
  3. Launching it without any parameters, which would encrypt all local and network drives.

The image below depicts how the malware verifies the conditions mentioned earlier.

Figure 5 Command line parameters
Figure 5 – Command line parameters

Encrypting network drives

When the Ransomware is launched with the runrun parameter, it creates two threads. The first thread is assigned to scan all network shares, such as network file managers, backup applications, or printer management tools, and encrypt files in them. To execute this task, it uses the typical API functions of the module “MPR.DLL”:

  • WNetOpenEnumW
  • WNetEnumResourceW
  • WNetCloseEnum
Figure 6 Enumerating network
Figure 6 – Enumerating network shares

If the malware cannot enumerate the network shares, it closes the current thread handle and creates a second thread. The second thread is designed to retrieve the path to the user’s Outlook, Word, or Office folders using the SHGetSpecialFolderPathW() function. Afterward, the retrieved path undergoes an encryption process, which is described in subsequent sections.

Figure 7 Retrieves special folders
Figure 7 – Retrieves special folders

Encrypting specific files passed as a parameter via “Temp.ocx”

When the Ransomware is launched using the temp.ocx parameter, it initially checks if the length of the command line argument is more than 5 characters and whether the argument contains the string “temp.ocx“.

If this condition is true, the code tries to open the file mentioned in the command line argument in UNICODE mode for reading.

If the file is opened successfully, it creates a new thread for encrypting the files specified in “temp.ocx”.

The figure below shows Cl0p Ransomware’s code using a specific file name as an argument.

Figure 8 – Cl0p ransomware using file as argument for encryption
Figure 8 – Cl0p ransomware using file as an argument for encryption

 Encrypting all files and network drives

When Ransomware is launched without any parameters, the code first checks whether it can be installed as a service. If the installation fails, the code will terminate itself.

The figure below illustrates how the ransomware checks for the condition of running as a service.

Figure 9 checks if it runs as a service
Figure 9 – Checking if it runs as a service

Once it verifies that it can run as a service, the Cl0p Ransomware generates a mutex, which is an object used for locking and preventing multiple threads from writing to shared memory concurrently.

This measure is intended to prevent the victim from being reinfected. The mutex is hardcoded into the binary with the name “)(%QU#jimf0932ijrkpo32jr3lfwe“, as shown in the figure below.

Figure 10 Mutex Creation
Figure 10 – Mutex Creation

At this stage, the malware employs a multi-threaded approach where the first thread generates a comprehensive list of all active processes on the system and converts their names to uppercase. It then proceeds to compare each process name with “EXPLORER.EXE.” If the malware finds a match, it utilizes the OpenProcess function to obtain a handle for the access token for that process.

The malware utilizes the token handle to retrieve the username associated with it. It then creates a new process and primary thread under that user’s security context, passing a command-line argument runrun.

During this process, the malware ensures that network drives are also encrypted. As mentioned earlier, running Cl0p Ransomware with runrun as an argument will encrypt the network drives.

The figure below shows the code for process name comparison.

Figure 11 Process name validation
Figure 11 – Process name validation

Once the new process is created successfully, the malware proceeds to import a public key from a string representation into a Cryptographic Service Provider (CSP) for encryption purposes.

The process of importing public key information into the CSP is illustrated in the figure below.

Figure 12 Imports public key
Figure 12 – Importing public key information

The next step of Cl0p Ransomware infection involves scanning through all the drive letters available on the system, beginning from A to Z. The malware utilizes the GetDriveTypeW() function to determine the type of drive associated with each letter, such as fixed, removable, or network drives.

Upon identifying the drive type, the Ransomware creates a new thread through the CreateThread API. It transfers the drive letter as a parameter to the thread function responsible for the infection process.

The figure below depicts the new thread creation.

Figure 13 GetDrive types
Figure 13 – GetDrive types

The Ransomware contains a hardcoded list of extensions to exclude from encryption, as shown in the below table:

BAT CMD TTF
LNG HLF CHM
MSI INI ICO
LNK SYS EXE
DLL OCX CI_0P
NTUSER.DAT    

The Ransomware first checks for the presence of any previous Cl0p infections on the system by comparing all the files in a designated folder with the filename of the ransom note. If no such files are present, it then drops the ransom note into the folder with the filename “!_READ_ME.RTF“.

The ransom note itself is encrypted and stored in the resource section. However, before it is placed in the folder, it is decrypted using an XOR algorithm. The figure shows both the encrypted content in the file’s resource section and the decryption loop in the binary.

Figure 14 Encrypted ransom note
Figure 14 – Encrypted ransom note
Figure 15 Decryption loop
Figure 15 – Decryption loop

The Cl0p Ransomware has a file size-based approach to choose the best method for encrypting files. Small files are not encrypted, and the Ransomware uses the ReadFile and WriteFile API functions for encrypting medium-sized files.

The larger files are apparently encrypted using the CreateFileMappingW, MapViewOfFile, WriteFile, and UnmapViewOfFile API functions.

To encrypt each file, the Ransomware generates a 0x75 bytes RC4 key using a Mersenne Twister PRNG (MT19937) algorithm and checks its validity by ensuring the first five bytes are NULL.

Finally, the Ransomware encrypts the generated RC4 key using the RSA public key and stores it in a file with the format “filename.extension.C_l_0P”.

Figure 16 Encryption logic
Figure 16 – Encryption logic

The Ransomware now begins encrypting the files in the victim’s machine. The data is encrypted using the RC4 encryption algorithm. The figure below shows the file’s encrypted content starting from the address 4000h.

Figure 17 Encrypted file and key
Figure 17 – Encrypted file and key

The Cl0p ransom note includes contact details of TAs that victims can use to negotiate a ransom payment to recover their files. It also contains an Onion URL leading to the leak site page.

The figure below shows the Cl0p Ransomware ransom note.

MicrosoftTeams image 36
Figure 18 – Ransom note

The below figure shows the leak site of the Cl0p ransomware gang.

MicrosoftTeams image 37
Figure 19 – Leak site of Cl0p Ransomware

Security researchers have recently discovered that Cl0p Ransomware is now targeting Linux systems. Fortunately, this new variant of Ransomware has a flawed encryption algorithm, which is good news for victims because it means they can recover their encrypted files without paying a ransom.

Although the Linux variant of Ransomware is specifically designed for this operating system, the fundamental logic behind it remains the same as the Windows variant.           

Conclusion

With its various versions, Cl0p Ransomware has the ability to infect both Linux and Windows operating systems. This malware is among many other ransomware types found on the surface web that deploy a strong encryption algorithm to encrypt user files and leave ransom notes containing instructions on recovering the encrypted data.

In a brief span of time, there have been numerous attacks that have targeted various industries across the world. We anticipate that there will be more attacks in the future by Cl0p Ransomware.

Our Recommendations

Safety Measures Needed to Prevent Ransomware Attacks

  • Conduct regular backup practices and keep those backups offline or in a separate network.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.

Users Should Take the Following Steps After the Ransomware Attack

  • Detach infected devices on the same network.
  • Disconnect external storage devices if connected.
  • Inspect system logs for suspicious events.
  • A decryption tool for the Linux variant is available on GitHub

MITRE ATT&CK® Techniques

Tactic  Technique ID  Technique Name 
Initial Access T1133
T1566
External Remote Services
Phishing
Execution T1059   
T1204
Command and Scripting Interpreter  
User Execution
Discovery T1082   
T1135  
T1083
System Information Discovery   
Network Share Discovery  
File and Directory Discovery
Impact T1486  Data encrypted for impact

Indicators of Compromise (IOCs)

Indicators  Indicator  
Type 
Description 
46cd508b7e77bb2c1d47f7fef0042a13c516f8163f9373ef9dfac180131c65ed
40b7b386c2c6944a6571c6dcfb23aaae026e8e82
f59d2a3c925f331aae7437dd7ac1a7c8
Sha256
Sha1
Md5
Cl0p Ransomware
e98c2fa10d77d345c960fc63436405a8b5024bd9b938a5962f70f66842e8b2cf
eaa8a81f8564b2da25b9d91797fda8e53fca93b8
a610664961870a1817df06f3eae1010b
Sha256
Sha1
Md5
Cl0p Ransomware
343cb2d5900f5fe4abd5442a4a18541753fbb6ca5ff4ee7f2c312ed96e413335
a074790705ecbede2e67cced4bcb62d833d828a5
1e98a8d79ed7afbd77f6536dd7b4398f
Sha256
Sha1
Md5 
Cl0p Ransomware
4839c7e3dde1e707cb538ab301d792b3ad75b45b03c65a4a6095c2a65ce65c84
25109b11c5dd418ca98f7971b8cc4ded8b0cd446
bcf497379b84656ede89d562067d1ced
Sha256
Sha1
Md5 
Cl0p Ransomware
09d6dab9b70a74f61c41eaa485b37de9a40c86b6d2eae7413db11b4e6a8256ef
46b02cc186b85e11c3d59790c3a0bfd2ae1f82a5
31e0439e6ef1dd29c0db6d96bac59446
Sha256
Sha1
Md5
 ELF Variant

Source: https://blog.cyble.com/2023/04/03/cl0p-ransomware-active-threat-plaguing-businesses-worldwide/