Cl0p Ransomware Victim Count Continues to Climb at an Alarming Rate
In 2019, Cl0p Ransomware surfaced as a Ransomware-as-a-Service (RaaS) model and became notorious due to its advanced techniques. Its main target was larger organizations with an annual income of USD 5 million or higher. The Threat Actors (TAs) infiltrate the targeted systems and encrypt the files, demanding a ransom to be paid in exchange for the decryption key.
Cl0p Ransomware is a successor to CryptoMix ransomware, which is believed to have originated in Russia and is frequently used by various Russian affiliates, including FIN11. This group is known for its attacks on various organizations and institutions, including universities, government agencies, and private companies. Like other ransomware groups, Cl0p’s main objective seems to be financial gain, which they achieve through the double extortion strategy.
Using this approach, TAs exfiltrate sensitive information first and then encrypt it. If the victim refuses to pay the ransom, the attackers threaten to disclose the data on their dark web leak site. This puts extra pressure on the victim to pay the ransom to prevent the release of their sensitive information.
Figure 1 illustrates the geographical distribution of Cl0p ransomware victims since January 2023, with a total of 104 victims worldwide.
The Cl0p ransomware gang aims to victimize a broad range of targets, including IT & ITES, BFSI-focused entities, Healthcare providers, Professional Services, and Government organizations.
The figure below shows the industries targeted by Cl0P Ransomware.
The United States appears to be the primary target of the Cl0p ransomware group, with a significant number of their victims located in this country, as illustrated in the figure below.
Initial Infection
Cl0p Ransomware spreads through various methods, such as phishing emails that contain harmful attachments or links, unprotected RDP, and exploit kits. Once it infects a computer, it promptly begins encrypting files and presenting ransom notes that demand payment in exchange for the decryption key.
Technical Analysis
The analyzed malware sample is an executable file with a Graphical User Interface (GUI), compiled using Microsoft Visual C/C++. It has a SHA 256 hash value of “46cd508b7e77bb2c1d47f7fef0042a13c516f8163f9373ef9dfac180131c65ed”, as illustrated in the accompanying figure.
Upon initial analysis, it was observed that the Cl0p Ransomware could be launched using three distinct methods:
- Executing it with the runrun parameter, which would solely encrypt the network drives.
- Using a file “temp.ocx“ as a parameter that contains a list of the files to be encrypted
- Launching it without any parameters, which would encrypt all local and network drives.
The image below depicts how the malware verifies the conditions mentioned earlier.
Encrypting network drives
When the Ransomware is launched with the runrun parameter, it creates two threads. The first thread is assigned to scan all network shares, such as network file managers, backup applications, or printer management tools, and encrypt files in them. To execute this task, it uses the typical API functions of the module “MPR.DLL”:
- WNetOpenEnumW
- WNetEnumResourceW
- WNetCloseEnum
If the malware cannot enumerate the network shares, it closes the current thread handle and creates a second thread. The second thread is designed to retrieve the path to the user’s Outlook, Word, or Office folders using the SHGetSpecialFolderPathW() function. Afterward, the retrieved path undergoes an encryption process, which is described in subsequent sections.
Encrypting specific files passed as a parameter via “Temp.ocx”
When the Ransomware is launched using the temp.ocx parameter, it initially checks if the length of the command line argument is more than 5 characters and whether the argument contains the string “temp.ocx“.
If this condition is true, the code tries to open the file mentioned in the command line argument in UNICODE mode for reading.
If the file is opened successfully, it creates a new thread for encrypting the files specified in “temp.ocx”.
The figure below shows Cl0p Ransomware’s code using a specific file name as an argument.
Encrypting all files and network drives
When Ransomware is launched without any parameters, the code first checks whether it can be installed as a service. If the installation fails, the code will terminate itself.
The figure below illustrates how the ransomware checks for the condition of running as a service.
Once it verifies that it can run as a service, the Cl0p Ransomware generates a mutex, which is an object used for locking and preventing multiple threads from writing to shared memory concurrently.
This measure is intended to prevent the victim from being reinfected. The mutex is hardcoded into the binary with the name “)(%QU#jimf0932ijrkpo32jr3lfwe“, as shown in the figure below.
At this stage, the malware employs a multi-threaded approach where the first thread generates a comprehensive list of all active processes on the system and converts their names to uppercase. It then proceeds to compare each process name with “EXPLORER.EXE.” If the malware finds a match, it utilizes the OpenProcess function to obtain a handle for the access token for that process.
The malware utilizes the token handle to retrieve the username associated with it. It then creates a new process and primary thread under that user’s security context, passing a command-line argument runrun.
During this process, the malware ensures that network drives are also encrypted. As mentioned earlier, running Cl0p Ransomware with runrun as an argument will encrypt the network drives.
The figure below shows the code for process name comparison.
Once the new process is created successfully, the malware proceeds to import a public key from a string representation into a Cryptographic Service Provider (CSP) for encryption purposes.
The process of importing public key information into the CSP is illustrated in the figure below.
The next step of Cl0p Ransomware infection involves scanning through all the drive letters available on the system, beginning from A to Z. The malware utilizes the GetDriveTypeW() function to determine the type of drive associated with each letter, such as fixed, removable, or network drives.
Upon identifying the drive type, the Ransomware creates a new thread through the CreateThread API. It transfers the drive letter as a parameter to the thread function responsible for the infection process.
The figure below depicts the new thread creation.
The Ransomware contains a hardcoded list of extensions to exclude from encryption, as shown in the below table:
| BAT | CMD | TTF |
| LNG | HLF | CHM |
| MSI | INI | ICO |
| LNK | SYS | EXE |
| DLL | OCX | CI_0P |
| NTUSER.DAT |
The Ransomware first checks for the presence of any previous Cl0p infections on the system by comparing all the files in a designated folder with the filename of the ransom note. If no such files are present, it then drops the ransom note into the folder with the filename “!_READ_ME.RTF“.
The ransom note itself is encrypted and stored in the resource section. However, before it is placed in the folder, it is decrypted using an XOR algorithm. The figure shows both the encrypted content in the file’s resource section and the decryption loop in the binary.
The Cl0p Ransomware has a file size-based approach to choose the best method for encrypting files. Small files are not encrypted, and the Ransomware uses the ReadFile and WriteFile API functions for encrypting medium-sized files.
The larger files are apparently encrypted using the CreateFileMappingW, MapViewOfFile, WriteFile, and UnmapViewOfFile API functions.
To encrypt each file, the Ransomware generates a 0x75 bytes RC4 key using a Mersenne Twister PRNG (MT19937) algorithm and checks its validity by ensuring the first five bytes are NULL.
Finally, the Ransomware encrypts the generated RC4 key using the RSA public key and stores it in a file with the format “filename.extension.C_l_0P”.
The Ransomware now begins encrypting the files in the victim’s machine. The data is encrypted using the RC4 encryption algorithm. The figure below shows the file’s encrypted content starting from the address 4000h.
The Cl0p ransom note includes contact details of TAs that victims can use to negotiate a ransom payment to recover their files. It also contains an Onion URL leading to the leak site page.
The figure below shows the Cl0p Ransomware ransom note.
The below figure shows the leak site of the Cl0p ransomware gang.
Security researchers have recently discovered that Cl0p Ransomware is now targeting Linux systems. Fortunately, this new variant of Ransomware has a flawed encryption algorithm, which is good news for victims because it means they can recover their encrypted files without paying a ransom.
Although the Linux variant of Ransomware is specifically designed for this operating system, the fundamental logic behind it remains the same as the Windows variant.
Conclusion
With its various versions, Cl0p Ransomware has the ability to infect both Linux and Windows operating systems. This malware is among many other ransomware types found on the surface web that deploy a strong encryption algorithm to encrypt user files and leave ransom notes containing instructions on recovering the encrypted data.
In a brief span of time, there have been numerous attacks that have targeted various industries across the world. We anticipate that there will be more attacks in the future by Cl0p Ransomware.
Our Recommendations
Safety Measures Needed to Prevent Ransomware Attacks
- Conduct regular backup practices and keep those backups offline or in a separate network.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
Users Should Take the Following Steps After the Ransomware Attack
- Detach infected devices on the same network.
- Disconnect external storage devices if connected.
- Inspect system logs for suspicious events.
- A decryption tool for the Linux variant is available on GitHub
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1133 T1566 | External Remote Services Phishing |
| Execution | T1059 T1204 | Command and Scripting Interpreter User Execution |
| Discovery | T1082 T1135 T1083 | System Information Discovery Network Share Discovery File and Directory Discovery |
| Impact | T1486 | Data encrypted for impact |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 46cd508b7e77bb2c1d47f7fef0042a13c516f8163f9373ef9dfac180131c65ed 40b7b386c2c6944a6571c6dcfb23aaae026e8e82 f59d2a3c925f331aae7437dd7ac1a7c8 | Sha256 Sha1 Md5 | Cl0p Ransomware |
| e98c2fa10d77d345c960fc63436405a8b5024bd9b938a5962f70f66842e8b2cf eaa8a81f8564b2da25b9d91797fda8e53fca93b8 a610664961870a1817df06f3eae1010b | Sha256 Sha1 Md5 | Cl0p Ransomware |
| 343cb2d5900f5fe4abd5442a4a18541753fbb6ca5ff4ee7f2c312ed96e413335 a074790705ecbede2e67cced4bcb62d833d828a5 1e98a8d79ed7afbd77f6536dd7b4398f | Sha256 Sha1 Md5 | Cl0p Ransomware |
| 4839c7e3dde1e707cb538ab301d792b3ad75b45b03c65a4a6095c2a65ce65c84 25109b11c5dd418ca98f7971b8cc4ded8b0cd446 bcf497379b84656ede89d562067d1ced | Sha256 Sha1 Md5 | Cl0p Ransomware |
| 09d6dab9b70a74f61c41eaa485b37de9a40c86b6d2eae7413db11b4e6a8256ef 46b02cc186b85e11c3d59790c3a0bfd2ae1f82a5 31e0439e6ef1dd29c0db6d96bac59446 | Sha256 Sha1 Md5 | ELF Variant |
