FANDOM


Clop or CIop is a ransomware that runs on Microsoft Windows. It was discovered by MalwareHunterTeam. It is part of the CryptoMix family. The word clop means bug in Russia. It is aimed at English-speaking users. It indicates that the attackers are targeting entire networks rather than individual computers.

It has been used as a final payload by an APT group named TA505

Payload

Transmission

Clop is distributed using executables that have been code-signed with a digital signature. Doing so makes the executable appear more legitimate and may help to bypass security software detections.

Infection

It will first stop numerous Windows services and processes in order to disable antivirus software such as Windows Defender and Malwarebytes. and close all files so that they are ready for encryption.

To disable Windows Defender, it configures various Registry values that disable behavior monitoring, real time protection, sample uploading to Microsoft, Tamper Protection, cloud detections, and antispyware detections. It creates the following registries:

cmd.exe /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
cmd.exe /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
cmd.exe /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
cmd.exe /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
cmd.exe /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
cmd.exe /C reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
cmd.exe /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
cmd.exe /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpCloudBlockLevel" /t REG_DWORD /d "0" /f
cmd.exe /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

If the user has Tamper Protection enabled, it will just reset Windows Defender.

In addition to Windows Defender, Clop is also targeting older computers by uninstalling Microsoft Security Essentials. As Clop is run with administrator privileges by the attackers, this command will remove the software without a problem:

cmd.exe /C "C:\Program Files\Microsoft Security Client\Setup.exe" /x /s

To remove Malwarebytes, it uses the following command:

C:\Program Files\MalwareBytes\Anti-Ransomware\unins000.exe /verysilent /suppressmsgboxes /norestart

Newer versions of Clop can terminate a total of 663 processes, which include new Windows 10 apps, popular text editors, debuggers, programming languages, terminal programs, and programming IDE software.

Some of the more interesting processes that are terminated include the Android Debug Bridge, Notepad++, Everything, Tomcat, SnagIt, Bash, Visual Studio, Microsoft Office applications, programming languages such as Python and Ruby, the SecureCRT terminal application, the Windows calculator, and even the new Windows 10 Your Phone app.

ACROBAT.EXE                                                       
ADB.EXE                                                           
CODE.EXE
CALCULATOR.EXE  
CREATIVE CLOUD.EXE                                                
ECLIPSE.EXE                                                       
EVERYTHING.EXE                                                    
JENKINS.EXE                                                       
MEMCACHED.EXE                                                     
MICROSOFTEDGE.EXE                                                 
NOTEPAD++.EXE                                                     
POWERPNT.EXE                                                      
PYTHON.EXE                                                        
QEMU-GA.EXE                                                       
RUBY.EXE                                                          
SECURECRT.EXE                                                     
SKYPEAPP.EXE                                                      
SNAGIT32.EXE
TOMCAT7.EXE
UEDIT32.EXE
WINRAR.EXE                                                        
WINWORD.EXE                                                       
YOURPHONE.EXE

It will then create a batch file named clearnetworkdns_11-22-33.bat that will be executed soon after the ransomware is launched. This batch file will disable Windows's automatic startup repair, remove shadow volume copies, and then resize them in order to clear orphaned shadow volume copies.

The ransomware will then begin to encrypt a victims files. When encrypting files it will append the .Clop or .CIop extension to the encrypted file's name.

It will also create a ransom note named CIopReadMe.txt that is now indicating that they are targeting an entire network rather than an individual computer. The ransom note saids the following:

------------------------Your networks has been penetrated---------------------------------------
All files on each host in the networks have been encrypted with a strong algorithm.
Backups were either encrypted or deleted or backup disks were formatted.
Shadow copies also removed, so F-8 or any other methods may damage encrypted data but not recover.
We exclusively have decryption software for your situation.
===No DECRYPTION software is AVAILABLE in the PUBLIC===
- DO NOT RENAME OR MOVE the encrypted and readme files.
========================DO NOT RESET OR SHUTDOWN – FILES MAY BE DAMAGED========================
========================DO NOT RESET OR SHUTDOWN – FILES MAY BE DAMAGED========================
========================DO NOT RESET OR SHUTDOWN – FILES MAY BE DAMAGED========================
---THIS MAY LEAD TO THE IMPOSSIBILITY OF RECOVERY OF THE CERTAIN FILES---
---ALL REPAIR TOOLS ARE USELESS AND CAN DESTROY YOUR FILES IRREVERSIBLY---
If you want to restore your files write to email.
[CONTACTS ARE AT THE BOTTOM OF THE SHEET] and attach 4-6 encrypted files!
[Less than 7 Mb each, non-archived and your files should not contain valuable information!!!
[Databases,large excel sheets, backups  etc...]]!!!
***You will receive decrypted samples and our conditions how to get the decoder***

*^*ATTENTION*^*
=YOUR WARRANTY - DECRYPTED SAMPLES=
-=-DO NOT TRY TO DECRYPT YOUR DATA USING THIRD PARTY SOFTWARE-=-
-=-WE DONT NEED YOUR FILES AND YOUR INFORMATION-=-

CONTACTS E-MAILS: 
unlock@eqaltech.su
AND
unlock@royalmail.su
OR
kensgilbomet@protonmail.com

_-_ATTENTION_-_
In the letter, type your company name and site!

***The final price depends on how fast you write to us***
^_*Nothing personal just business^_* CLOP^_-
----------------------------------------------------------------------------------------------

This ransom note also contain the emails unlock@eqaltech.su, unlock@royalmail.su, and kensgilbomet@protonmail.com that can be used to contact the attackers for payment instructions.

Community content is available under CC-BY-SA unless otherwise noted.