Threat Research

Cyble – Cl0p Ransomware: Active Threat Plaguing Businesses Worldwide

Securonix

Cyble detailed Cl0p Ransomware’s global activity, highlighting its shift to a Ransomware-as-a-Service model, double extortion, and multi-vector infection techniques across industries and regions. It also notes Linux variants and a public leak site, with technical details on encryption and ransom negotiations. #Cl0pRansomware #FIN11

Keypoints

  • Cl0p operates as a Ransomware-as-a-Service (RaaS) targeting large organizations and employing double extortion (data exfiltration before encryption).
  • The gang behind Cl0p has ties to CryptoMix origins and uses affiliates like FIN11; it targets IT/ITES, BFSI, Healthcare, Professional Services, and Government sectors.
  • Infection methods include phishing with malicious attachments/links, exposed RDP, and exploit kits; they encrypt files and threaten data disclosure on a dark web leak site.
  • Three initial infection modalities exist: runrun (network-drive encryption), temp.ocx (encrypts files listed in a file), or no-parameter launches to encrypt all local/network drives.
  • The malware enumerates network shares, uses drives enumeration, and performs multi-threaded encryption, including encrypting Outlook/Office folders when possible.
  • Cl0p uses a mutex to prevent reinfection and employs a token-based approach to run new processes under the victim’s user context, enhancing stealth and persistence.
  • Encryption combines RC4 (with MT19937-generated keys) and RSA, storing per-file keys in a .C_l_0P extension; ransom note is encrypted and embedded in the binary.

MITRE Techniques

  • [T1566] Phishing – “phishing emails that contain harmful attachments or links” – Phishing used as an initial access vector. Quote: ‘phishing emails that contain harmful attachments or links’
  • [T1133] External Remote Services – “unprotected RDP” – External remote service exposure enabling intrusion. Quote: ‘unprotected RDP, and exploit kits’
  • [T1059] Command and Scripting Interpreter – “three distinct methods… Executing it with the runrun parameter” – The ransomware can be launched via command-line parameters. Quote: ‘Executing it with the runrun parameter’ and ‘Launching it without any parameters’
  • [T1135] Network Share Discovery – “scan all network shares, such as network file managers, backup applications, or printer management tools” – Discovery of network shares. Quote: ‘scan all network shares, such as network file managers, backup applications, or printer management tools’
  • [T1082] System Information Discovery – “GetDriveTypeW() to determine the type of drive” – System information collection to tailor encryption. Quote: ‘GetDriveTypeW() to determine the type of drive’
  • [T1543.003] Windows Service – “If it can be installed as a service” – Installation as a service for persistence. Quote: ‘checks whether it can be installed as a service’
  • [T1134] Access Token Manipulation – “uses the token handle to retrieve the username… creates a new process… under that user’s security context” – Privilege/context switch to run under victim user. Quote: ‘the malware uses the token handle to retrieve the username… It then creates a new process and primary thread under that user’s security context’
  • [T1486] Data Encrypted for Impact – “encrypting files” – Core impact technique. Quote: ‘encrypting files and presenting ransom notes that demand payment in exchange for the decryption key’
  • [T1056] Input Capture/Process Creation Context – (Implied in token-based process creation) – The malware creates a new process under a victim’s context to execute runrun. Quote: ‘creates a new process and primary thread under that user’s security context’

Indicators of Compromise

  • [File Hash] Cl0p Ransomware (SHA-256) – 46cd508b7e77bb2c1d47f7fef0042a13c516f8163f9373ef9dfac180131c65ed, e98c2fa10d77d345c960fc63436405a8b5024bd9b938a5962f70f66842e8b2cf
  • [Hash] Cl0p Ransomware (SHA-1) – 40b7b386c2c6944a6571c6dcfb23aaae026e8e82, f59d2a3c925f331aae7437dd7ac1a7c8
  • [Hash] Cl0p Ransomware (MD5) – 343cb2d5900f5fe4abd5442a4a18541753fbb6ca5ff4ee7f2c312ed96e413335, a074790705ecbede2e67cced4bcb62d833d828a5
  • [Hash] Cl0p Ransomware (MD5) – 4839c7e3dde1e707cb538ab301d792b3ad75b45b03c65a4a6095c2a65ce65c84, bc f497379b84656ede89d562067d1ced (trimmed in article; used as example MD5)
  • [Hash] ELF Variant (SHA-256) – 09d6dab9b70a74f61c41eaa485b37de9a40c86b6d2eae7413db11b4e6a8256ef
  • [File Name] !_READ_ME.RTF – Ransom note file dropped during infection

Read more: https://blog.cyble.com/2023/04/03/cl0p-ransomware-active-threat-plaguing-businesses-worldwide/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint