Law enforcement is on a roll. Europol members recently arrested numerous people in connection with a US law enforcement sting; last week Mexico arrested hacktivist Commander X; and now police in Ukraine reported earlier this week they arrested members of a major ransomware gang. The arrests mark the first time a law enforcement agency has announced a mass arrest of a prolific hacker group that had extorted Americans by either encrypting an organization's files or threatening to leak them to the public.
The gang, known as Cl0p, has hacked numerous US corporate targets, including the University of Miami (Florida), Stanford University, University of Maryland, and University of Colorado, demanding a payment to either keep their systems functional or to not publish material they were able to steal.[1]
The Ukrainian bust comes as ransomware has gone from a quietly pervasive cybersecurity problem to a broadly discussed national security issue, thanks to a series of high-profile attacks that have threatened to cripple some US supply chains. Somethings the hackers created with over zealousness.
The majority of the most prolific ransomware gangs are believed to operate in Eastern Europe, and Russia in particular. Ukraine's cyber police announced they had arrested six people involved with Cl0p, and seized a number of computers, cars and about 5 million Ukrainian hryvnia ($185,000) in cash. A video released by Ukrainian authorities showed heavily armed officers descending on what appeared to be residences and seizing everything from stacks of cash and computers to luxury cars.[2]
Though Cl0p is not the most prolific ransomware gang, it still hacked dozens of targets, mostly in the US and South Korea. Cl0p became operational in the summer of 2020, said Recorded Future. "While they weren’t considered a top-tier ransomware actor, their methods were fairly sophisticated," they said. Interpol, the international police organization, which often helps with cybercrime investigations, said it assisted with the case.
On various posts, some hackers are mocking and taunting the police:
Last March, LMNTRIX Labs was observing an increased activity of the Cl0p ransomware gangs targeting multiple enterprises, companies across the globe. Following is their activity timeline from the last two years. This particular group has been visibly active throughout COVID-19 spike phases and targeted pharmaceutical companies extensively. Interestingly, the Accellion breach which was reported due to a FTA vulnerability exploitation was also linked to the Cl0p ransomware group.[3]
Activity Timeline (to the right):
Sample Analysis
Following sample was recently used by the Clop Ransomware group in their latest campaign.
Sample Name: Ul7Koup6DD.bin
Process path: C:\Users\Xmp\Desktop\hfq3LofMt4.exe
SHA256: 15f9ed36d9efc6e570b4f506791ce2c6a849853e2f6d587f30fb12d39dba2649
Analyzing the sample, we have seen the malicious binary is sharing the code among all the samples seen for the Cl0p ransomware sample. Around 480+ strings reuse by the sample has also been observed.
Related Sample
|
Sample Timeline |
SHA256 |
|
Feb 2021 |
09ab880f3021ac2d05e09bebd567ddf5f6f7cfb396573efd819a056931f3b391 |
|
Dec 2019 |
cff60c9c30bf71112c79f788c4ccbd7151285d52be31c8e891b365d93a7e241d |
|
Nov/Dec 2020 |
7c19c49836ed7dccd0ebcd5a5a56f6b6411ecc59fdc7fa31f0ee0f64eee7aa89 |
|
Dec 2020 |
7c6e5cd61fafd38e420c2bd9e12ed1ec06e31dd5d20c081d214a96c16b1492c8 |
|
Jan 2021 |
968307a367471e25bef58b0d4687ab4fdf34539bbfb603b5b19ae99d4d0c0340 |
The ransomware program is written in C ++ and developed in Visual Studio. So far observed Cl0p samples are for the x86 architecture. The size of the unpacked sample is between 100 and 200 KB. Cl0p renames the encrypted files and appends the file ending with (“. Cllp ” OR “. CI0p”.)
MITRE MATRIX
Attribution
The modus operandi of the gang has been to use the double extortion technique. They use lateral movement technique to exfiltrate large amount of victim’s data from their network and then finally launches the Ransomware. This is a full proof method, that even though the victims have a backup of their data, and refuse to pay the ransom, the Gang still threatens to leak the data stolen onto their dark Web leak site as shown below. The gang also uses a chat site to chat with their victims to fix the extortion amount.
NSW Transport’s terabytes of data was leaked onto the Dark Web in a similar fashion, when it was dumped in 9 different parts. These include contract details, email communications, and much more. Here is the snapshot from the NSW Transport leak:
Mitigation
*****YARA RULE FOR CLOP RANSOMWARE************************
rule win_clop_auto {
meta:
date = “2021-2-21”
version = “1”
/* DISCLAIMER
* The strings used in this rule have been automatically selected from the
* disassembly of memory dumps and unpacked files, using .
strings:
$sequence_0 = { 68???????? 68???????? e8???????? 83c424 6aff }
// n = 5, score = 300
// 68???????? |
// 68???????? |
// e8???????? |
// 83c424 | add esp, 0x24
// 6aff | push -1
$sequence_1 = { ffd0 c3 8bff 55 8bec 83ec1c 8d4de4 }
// n = 7, score = 300
// ffd0 | call eax
// c3 | ret
// 8bff | mov edi, edi
// 55 | push ebp
// 8bec | mov ebp, esp
// 83ec1c | sub esp, 0x1c
// 8d4de4 | lea ecx, [ebp – 0x1c]
$sequence_2 = { 6a04 6800300000 6887000000 6a00 }
// n = 4, score = 300
// 6a04 | push 4
// 6800300000 | push 0x3000
// 6887000000 | push 0x87
// 6a00 | push 0
$sequence_3 = { 8d85bcefffff 50 ff15???????? 68???????? }
// n = 4, score = 300
// 8d85bcefffff | lea eax, [ebp – 0x1044]
// 50 | push eax
// ff15???????? |
// 68???????? |
$sequence_4 = { ff15???????? 68???????? 8d85dcf7ffff 50 }
// n = 4, score = 300
// ff15???????? |
// 68???????? |
// 8d85dcf7ffff | lea eax, [ebp – 0x824]
// 50 | push eax
$sequence_5 = { 6a00 ff15???????? 68???????? 8bd8 }
// n = 4, score = 300
// 6a00 | push 0
// ff15???????? |
// 68???????? |
// 8bd8 | mov ebx, eax
$sequence_6 = { e8???????? 83c408 6aff ff15???????? 33c0 }
// n = 5, score = 300
// e8???????? |
// 83c408 | add esp, 8
// 6aff | push -1
// ff15???????? |
// 33c0 | xor eax, eax
$sequence_7 = { 8d85c8efffff 50 6a08 6a01 ff15???????? 85c0 }
// n = 6, score = 300
// 8d85c8efffff | lea eax, [ebp – 0x1038]
// 50 | push eax
// 6a08 | push 8
// 6a01 | push 1
// ff15???????? |
// 85c0 | test eax, eax
$sequence_8 = { 83c40c 33f6 85ff 7428 }
// n = 4, score = 300
// 83c40c | add esp, 0xc
// 33f6 | xor esi, esi
// 85ff | test edi, edi
// 7428 | je 0x2a
$sequence_9 = { 53 8bf8 ff15???????? 8bf0 56 6a40 }
// n = 6, score = 300
// 53 | push ebx
// 8bf8 | mov edi, eax
// ff15???????? |
// 8bf0 | mov esi, eax
// 56 | push esi
// 6a40 | push 0x40
$sequence_10 = { 83c40c 6860070000 6a40 ff15???????? }
// n = 4, score = 300
// 83c40c | add esp, 0xc
// 6860070000 | push 0x760
// 6a40 | push 0x40
// ff15???????? |
$sequence_11 = { 8bf0 56 53 ff15???????? 50 ff15???????? 56 }
// n = 7, score = 300
// 8bf0 | mov esi, eax
// 56 | push esi
// 53 | push ebx
// ff15???????? |
// 50 | push eax
// ff15???????? |
// 56 | push esi
$sequence_12 = { 53 56 ff15???????? 56 ff15???????? 53 ff15???????? }
// n = 7, score = 300
// 53 | push ebx
// 56 | push esi
// ff15???????? |
// 56 | push esi
// ff15???????? |
// 53 | push ebx
// ff15???????? |
$sequence_13 = { 50 ff15???????? 56 53 8bf8 ff15???????? }
// n = 6, score = 300
// 50 | push eax
// ff15???????? |
// 56 | push esi
// 53 | push ebx
// 8bf8 | mov edi, eax
// ff15???????? |
$sequence_14 = { 83c424 53 50 ffd6 }
// n = 4, score = 300
// 83c424 | add esp, 0x24
// 53 | push ebx
// 50 | push eax
// ffd6 | call esi
$sequence_15 = { 50 e8???????? 83c40c c785f0efffff00080000 8d85f0efffff c785ecefffff00000000 c785f4efffff00000000 }
// n = 7, score = 200
// 50 | push eax
// e8???????? |
// 83c40c | add esp, 0xc
// c785f0efffff00080000 | mov dword ptr [ebp – 0x1010], 0x800
// 8d85f0efffff | lea eax, [ebp – 0x1010]
// c785ecefffff00000000 | mov dword ptr [ebp – 0x1014], 0
// c785f4efffff00000000 | mov dword ptr [ebp – 0x100c], 0
condition: 7 of them and filesize < 630784
An ounce of prevention is ALWAYS worth a pound of cure. Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice and very important, however, external threats are often overlooked and can represent an early warning of impending attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray dark web notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.
Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.
Interested in a RedXray subscription to see what we can do for you? Sign up here: https://www.wapacklabs.com/RedXray
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
[1] https://www.nbcnews.com/tech/security/ransomware-gang-busted-authorities-ukraine-rcna1199
[2] https://securityboulevard.com/2021/06/cops-cop-cl0p-ransomware-gang-or-maybe-not/
[3] https://lmntrix.com/lab/cl0p-ransomware-gang-leaks-nsw-transport-data-on-the-dark-web/
Comments