Cl0p Hacker Arrests in Ukraine

9111779083?profile=RESIZE_400xLaw enforcement is on a roll.  Europol members recently arrested numerous people in connection with a US law enforcement sting; last week Mexico arrested hacktivist Commander X; and now police in Ukraine reported earlier this week they arrested members of a major ransomware gang.  The arrests mark the first time a law enforcement agency has announced a mass arrest of a prolific hacker group that had extorted Americans by either encrypting an organization's files or threatening to leak them to the public.

The gang, known as Cl0p, has hacked numerous US corporate targets, including the University of Miami (Florida), Stanford University, University of Maryland, and University of Colorado, demanding a payment to either keep their systems functional or to not publish material they were able to steal.[1]

The Ukrainian bust comes as ransomware has gone from a quietly pervasive cybersecurity problem to a broadly discussed national security issue, thanks to a series of high-profile attacks that have threatened to cripple some US supply chains.  Somethings the hackers created with over zealousness. 

The majority of the most prolific ransomware gangs are believed to operate in Eastern Europe, and Russia in particular.  Ukraine's cyber police announced they had arrested six people involved with Cl0p, and seized a number of computers, cars and about 5 million Ukrainian hryvnia ($185,000) in cash.  A video released by Ukrainian authorities showed heavily armed officers descending on what appeared to be residences and seizing everything from stacks of cash and computers to luxury cars.[2]

Though Cl0p is not the most prolific ransomware gang, it still hacked dozens of targets, mostly in the US and South Korea.  Cl0p became operational in the summer of 2020, said Recorded Future.  "While they weren’t considered a top-tier ransomware actor, their methods were fairly sophisticated," they said.  Interpol, the international police organization, which often helps with cybercrime investigations, said it assisted with the case. 

On various posts, some hackers are mocking and taunting the police:

9111780678?profile=RESIZE_400x

Last March, LMNTRIX Labs was observing an increased activity of the Cl0p ransomware gangs targeting multiple enterprises, companies across the globe. Following is their activity timeline from the last two years.  This particular group has been visibly active throughout COVID-19 spike phases and targeted pharmaceutical companies extensively. Interestingly, the Accellion breach which was reported due to a FTA vulnerability exploitation was also linked to the Cl0p ransomware group.[3]

Activity Timeline (to the right):9111783493?profile=RESIZE_400x

Sample Analysis

Following sample was recently used by the Clop Ransomware group in their latest campaign.

Sample Name: Ul7Koup6DD.bin

Process path: C:\Users\Xmp\Desktop\hfq3LofMt4.exe

SHA256: 15f9ed36d9efc6e570b4f506791ce2c6a849853e2f6d587f30fb12d39dba2649
9111784461?profile=RESIZE_400x9111787492?profile=RESIZE_400xAnalyzing the sample, we have seen the malicious binary is sharing the code among all the samples seen for the Cl0p ransomware sample. Around 480+ strings reuse by the sample has also been observed.

 

 

 

 

Related Sample

Sample Timeline

SHA256

Feb 2021

09ab880f3021ac2d05e09bebd567ddf5f6f7cfb396573efd819a056931f3b391

Dec 2019

cff60c9c30bf71112c79f788c4ccbd7151285d52be31c8e891b365d93a7e241d

Nov/Dec 2020

7c19c49836ed7dccd0ebcd5a5a56f6b6411ecc59fdc7fa31f0ee0f64eee7aa89

Dec 2020

7c6e5cd61fafd38e420c2bd9e12ed1ec06e31dd5d20c081d214a96c16b1492c8

Jan 2021

968307a367471e25bef58b0d4687ab4fdf34539bbfb603b5b19ae99d4d0c0340

The ransomware program is written in C ++ and developed in Visual Studio.  So far observed Cl0p samples are for the x86 architecture. The size of the unpacked sample is between 100 and 200 KB. Cl0p renames the encrypted files and appends the file ending with (“. Cllp ” OR “. CI0p”.)

MITRE MATRIX

9111788658?profile=RESIZE_584x

 

 

 

 

 

 

 

 

 

 

Attribution

The modus operandi of the gang has been to use the double extortion technique. They use lateral movement technique to exfiltrate large amount of victim’s data from their network and then finally launches the Ransomware. This is a full proof method, that even though the victims have a backup of their data, and refuse to pay the ransom, the Gang still threatens to leak the data stolen onto their dark Web leak site as shown below. The gang also uses a chat site to chat with their victims to fix the extortion amount.

9111789070?profile=RESIZE_584x

NSW Transport’s terabytes of data was leaked onto the Dark Web in a similar fashion, when it was dumped in 9 different parts. These include contract details, email communications, and much more. Here is the snapshot from the NSW Transport leak:

9111789497?profile=RESIZE_400x

 

 

 

 

 

 

 

 

 

 

Mitigation

*****YARA RULE FOR CLOP RANSOMWARE************************

rule win_clop_auto { 

    meta:       

        date = “2021-2-21”

        version = “1”

       /* DISCLAIMER

     * The strings used in this rule have been automatically selected from the

     * disassembly of memory dumps and unpacked files, using .

    strings:

        $sequence_0 = { 68???????? 68???????? e8???????? 83c424 6aff }

            // n = 5, score = 300

            //   68????????           |                    

            //   68????????           |                    

            //   e8????????           |                    

            //   83c424               | add                 esp, 0x24

            //   6aff                 | push                -1

         $sequence_1 = { ffd0 c3 8bff 55 8bec 83ec1c 8d4de4 }

            // n = 7, score = 300

            //   ffd0                 | call                eax

            //   c3                   | ret                

            //   8bff                 | mov                 edi, edi

            //   55                   | push                ebp

            //   8bec                 | mov                 ebp, esp

            //   83ec1c               | sub                 esp, 0x1c

            //   8d4de4               | lea                 ecx, [ebp – 0x1c]

         $sequence_2 = { 6a04 6800300000 6887000000 6a00 }

            // n = 4, score = 300

            //   6a04                 | push                4

            //   6800300000           | push                0x3000

            //   6887000000           | push                0x87

            //   6a00                 | push                0

         $sequence_3 = { 8d85bcefffff 50 ff15???????? 68???????? }

            // n = 4, score = 300

            //   8d85bcefffff         | lea                 eax, [ebp – 0x1044]

            //   50                   | push                eax

            //   ff15????????         |                    

            //   68????????           |                    

         $sequence_4 = { ff15???????? 68???????? 8d85dcf7ffff 50 }

            // n = 4, score = 300

            //   ff15????????         |                    

            //   68????????           |                    

            //   8d85dcf7ffff         | lea                 eax, [ebp – 0x824]

            //   50                   | push                eax

         $sequence_5 = { 6a00 ff15???????? 68???????? 8bd8 }

            // n = 4, score = 300

            //   6a00                 | push                0

            //   ff15????????         |                    

            //   68????????           |                    

            //   8bd8                 | mov                 ebx, eax

         $sequence_6 = { e8???????? 83c408 6aff ff15???????? 33c0 }

            // n = 5, score = 300

            //   e8????????           |                    

            //   83c408               | add                 esp, 8

            //   6aff                 | push                -1

            //   ff15????????         |                    

            //   33c0                 | xor                 eax, eax

         $sequence_7 = { 8d85c8efffff 50 6a08 6a01 ff15???????? 85c0 }

            // n = 6, score = 300

            //   8d85c8efffff         | lea                 eax, [ebp – 0x1038]

            //   50                   | push                eax

            //   6a08                 | push                8

            //   6a01                 | push                1

            //   ff15????????         |                    

            //   85c0                 | test                eax, eax

         $sequence_8 = { 83c40c 33f6 85ff 7428 }

            // n = 4, score = 300

            //   83c40c               | add                 esp, 0xc

            //   33f6                 | xor                 esi, esi

            //   85ff                 | test                edi, edi

            //   7428                 | je                  0x2a

         $sequence_9 = { 53 8bf8 ff15???????? 8bf0 56 6a40 }

            // n = 6, score = 300

            //   53                   | push                ebx

            //   8bf8                 | mov                 edi, eax

            //   ff15????????         |                    

            //   8bf0                 | mov                 esi, eax

            //   56                   | push                esi

            //   6a40                 | push                0x40

         $sequence_10 = { 83c40c 6860070000 6a40 ff15???????? }

            // n = 4, score = 300

            //   83c40c               | add                 esp, 0xc

            //   6860070000           | push                0x760

            //   6a40                 | push                0x40

            //   ff15????????         |                    

         $sequence_11 = { 8bf0 56 53 ff15???????? 50 ff15???????? 56 }

            // n = 7, score = 300

            //   8bf0                 | mov                 esi, eax

            //   56                   | push                esi

            //   53                   | push                ebx

            //   ff15????????         |                    

            //   50                   | push                eax

            //   ff15????????         |                    

            //   56                   | push                esi

         $sequence_12 = { 53 56 ff15???????? 56 ff15???????? 53 ff15???????? }

            // n = 7, score = 300

            //   53                   | push                ebx

            //   56                   | push                esi

            //   ff15????????         |                    

            //   56                   | push                esi

            //   ff15????????         |                    

            //   53                   | push                ebx

            //   ff15????????         |                    

         $sequence_13 = { 50 ff15???????? 56 53 8bf8 ff15???????? }

            // n = 6, score = 300

            //   50                   | push                eax

            //   ff15????????         |                    

            //   56                   | push                esi

            //   53                   | push                ebx

            //   8bf8                 | mov                 edi, eax

            //   ff15????????         |                    

         $sequence_14 = { 83c424 53 50 ffd6 }

            // n = 4, score = 300

            //   83c424               | add                 esp, 0x24

            //   53                   | push                ebx

            //   50                   | push                eax

            //   ffd6                 | call                esi

         $sequence_15 = { 50 e8???????? 83c40c c785f0efffff00080000 8d85f0efffff c785ecefffff00000000 c785f4efffff00000000 }

            // n = 7, score = 200

            //   50                   | push                eax

            //   e8????????           |                    

            //   83c40c               | add                 esp, 0xc

            //   c785f0efffff00080000     | mov    dword ptr [ebp – 0x1010], 0x800

            //   8d85f0efffff         | lea                 eax, [ebp – 0x1010]

            //   c785ecefffff00000000     | mov    dword ptr [ebp – 0x1014], 0

            //   c785f4efffff00000000     | mov    dword ptr [ebp – 0x100c], 0

     condition:          7 of them and filesize < 630784

An ounce of prevention is ALWAYS worth a pound of cure.  Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives.  Internal monitoring is common practice and very important, however, external threats are often overlooked and can represent an early warning of impending attacks.  Red Sky Alliance can provide both internal monitoring in tandem with RedXray dark web notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting. 

Red Sky Alliance is in New Boston, NH   USA.     We   are   a   Cyber   Threat   Analysis   and   Intelligence Service organization.     For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.

Interested in a RedXray subscription to see what we can do for you?  Sign up here: https://www.wapacklabs.com/RedXray   

[1] https://www.nbcnews.com/tech/security/ransomware-gang-busted-authorities-ukraine-rcna1199

[2] https://securityboulevard.com/2021/06/cops-cop-cl0p-ransomware-gang-or-maybe-not/

[3] https://lmntrix.com/lab/cl0p-ransomware-gang-leaks-nsw-transport-data-on-the-dark-web/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!