Clop Ransomware: Overview, Operating Mode, and Prevention [UPDATED 2023]
How Does Clop Ransomware Work?
Clop Ransomware belonging to a popular Cryptomix ransomware family is a dangerous file encrypting virus which actively avoids the security unprotected system and encrypts the saved files by planting the .Clop extension.
It exploits AES cipher to encrypt pictures, videos, music, databases papers, and attach .CLOP or .CIOP file extension, which prevents victims from accessing personal data. For example, “sample.jpg” is renamed to “sample.jpg.Clop”.
This way, the victims are pressured into paying the ransom within some time limit for the presumed fixing of their data.
Clop ransomware is considered to be a very dangerous malware because the virus can have grave consequences, being capable of contaminating the majority of operating system versions like Windows XP, Windows7, Windows8, Windows8.1, and Windows 10.
Clop virus’ name originates from a Russian “klop,” which means “bed bug” – an insect from the genus Cimex that feeds on human blood, usually at night.
Clop ransomware is one of the worst computer threats that makes entries in the Windows Registry to attain durability and could start or restrain processes in a Windows domain to stay hidden from the usual antivirus program and computer user.
Clop Ransomware Operating Mode
It is well known that the Clop ransomware’s targets are mostly organizations/institutions across the globe and not regular users which might mean that malware attackers are focusing on enterprises because of their financial potential.
Lately, the Clop ransomware attackers have stolen and encrypted private data such as data backups, financial records, thousands of emails, and vouchers of several companies.
Recently, Clop ransomware has been associated with cybercriminals who have been using Accellion File Transfer Appliance (FTA) vulnerabilities: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, and CVE-2021-27104. The exploitation of these flaws led to the compromise of high-profile organizations starting in February. Also, there has been evidence of an affiliate utilizing a webshell dobbed DEWMODE that was being used to steal data from Accellion FTA devices.
Unfortunately, after some companies failed to pay the ransom, the stolen data was disclosed on their ‘CL0P^_- LEAKS’ data leak site, hosted on the dark web.
Clop ransomware is created to alter predefined browser settings and operate several functionalities to run a built-in encryption section and pervert all significant files that you store on your system and make them useless.
When the victim tries to open the damaged file, it shows a ransom message notifying the users of the encryption and instructing them regarding the ransom payment process, whether it’s in Bitcoin or other cryptocurrencies.
Specialists do not recommend the victims to pay the ransom, no matter what the cost is. Studies show that once the ransomware cybercriminals get their money, victims are completely ignored with no possibility to recover their encrypted data.
The only solution is to be a step ahead and invest in some backup. Keep regular backups and store them on a remote server such as Cloud or unplugged storage devices such as Flash drive or external hard drive.
How Can Clop Ransomware Infect My Device?
Clop ransomware can be introduced in the system with a variety of methods, such as spam email attachments, trojans, hyperlinks, cracks, unprotected Remote Desktop Protocol (RDP) connection, infected websites, etc.
Many damaging infections can get into your computer via junk attachments, and download links present in the body of the mail. These unrequested emails generally seem to be from a well-known organization, such as banks and insurance companies.
Pornographic websites are also a major cause of these ransomware infections.
Once injected into the system, a fake certificate issued to the executable grant the Clop virus elevated privileges and initiates the clearnetworkdns_11-22-33.bat file.
This permits malware to overwrite and change system files. It also reads multiple technical details such as computer names and sends them off to threat actors. Also, Clop ransomware creates \Users\CIiHmnxMn6Ps folder where more malicious files are implemented.
Clop ransomware then examines the computer for files to encrypt. In the process, regularly used files such as .jpg, .mp3, .doc, .mkv etc are targeted. Following the encryption, a file like picture.jpg is transformed into picture.jpg.Clop, and becomes impossible to access.
It is important to know the data is not corrupted, it’s only locked by a key that only hackers have access to. The victims need to remove the Clop ransomware before trying to recover their files, or else, they will get locked over and over again.
Technical Analysis of Clop Ransomware
The technical analysis section is based of the Clop ransomware retrieved from Malware Bazaar’s repository on the 3rd of August 2023. The sample was last updated on the 6th of June 2023.
Behavioral analysis (via Cape Sandbox)
- Collects and encrypts information about the computer likely to send to C2 server.
- SetUnhandledExceptionFilter detected (possible anti-debug)
- Uses Windows APIs to generate a cryptographic key
- Anomalous file deletion behavior detected (10+)
- Dynamic (imported) function loading detected
- Enumerates running processes
- Expresses interest in specific running processes
- Repeatedly searches for a not-found process, may want to run with startbrowser=1 option
- Manipulates data from or to the Recycle Bin
- Exhibits possible ransomware or wiper file modification behavior: mass_file_deletion overwrites_existing_files
- Creates known CryptoMix ransomware mutexes
- Yara rule detections observed from a process memory dump/dropped files/CAPE.
Post-delivery behavior (via Hatching Triage)
- Suspicious behavior: EnumeratesProcesses
- Drops file in Program Files directory
- Drops file in Windows directory
- Drops desktop.ini file(s)
- Enumerates connected drives
- Modifies extensions of user files
|Defense Evasion||Privilege Escalation||Discovery||Impact|
|• Process injection|
• Software packing.
• Obfuscated Files or information.
|• Process injection.||• File and directory discovery. |
• Software discovery.
|• OS exhaustion flood.|
How To Prevent Infecting With Clop Ransomware
Caution is always essential it comes to your computer safety. It is important to pay attention when browsing the internet and downloading, installing, and updating software.
- Check twice before you open email attachments or click on links. You should not open a file if it does not concern you or if the email address looks suspicious.
- It is also recommended to download applications only from official sources, utilizing direct download links. Third-party downloaders frequently spawn malicious apps, and thus you should avoid them.
- When it comes to software updates, it is essential to keep installed apps and systems updated, , however, this should be achieved only through implemented functions or tools provided by the official developer.
- Remember that using pirated software is considered a cybercrime and there is a huge probability to infect your devices since these software cracking tools are frequently used to spread malware.
- Invest in a reliable anti-virus/anti-spyware suite because these tools can detect and eliminate malware before any harm is done.
How Can Heimdal® Help?
In the fight against ransomware, Heimdal™ Security is offering its customers an outstanding integrated cybersecurity suite including the Ransomware Encryption Protection module, that is universally compatible with any antivirus solution, and is 100% signature-free, ensuring superior detection and remediation of any type of ransomware, whether fileless or file-based (including the most recent ones like LockFile).
Try it now and avoid being one more of the victims on the list!
Heimdal™ Ransomware Encryption Protection
- Blocks any unauthorized encryption attempts;
- Detects ransomware regardless of signature;
- Universal compatibility with any cybersecurity solution;
- Full audit trail with stunning graphics;
Nowadays, cybercriminals have discovered how to make their malware more flexible, strong, and harmful than ever before.
One of these viruses is Clop ransomware, an invasive ransomware family that has affected organizations worldwide. Enterprises should be aware of SDBot, used by TA505, and how it can lead to the spread of Clop ransomware. Just like other ransomware families, Clop hosts a leak site in order to put even more pressure and shame on victims into paying the ransom.
We need to take action and upgrade our cyber defense structures and pay attention when browsing the internet and downloading, installing and updating software.