27 Feb 2020
The Clop ransomware was discovered in February 2019 by Michael Gillespie and was classified as a variant of the old CryptoMix ransomware by the MalwareHunterTeam. It initially targeted individual Windows users and soon after evolved to target entire enterprises. Now, there is a new variant of Clop which is more focused in that it targets industrial companies.
A New Variant of Clop Targets Industrial Companies
According to a recent report by Fox-IT, the Russian TA505 group is thought to be the culprit behind Clop attacks. The Clop ransomware hackers have stepped up their game and are starting to target industries with their new capabilities. This has increased the ransomware’s potential for causing irreparable damage.
Evidence of a new variant of Clop was raised in a recent tweet by MalwareHunterTeam. Earlier this week, a group of OTORIO researchers and penetration testing team members analyzed a sample of Clop and managed to reverse engineer its Clop code to gain valuable insight into the ransomware's capabilities. The discovery uncovered some of the new variant’s would-be targets – industrial networks – and more importantly, it found ways to stop Clop in its tracks, as will be discussed further in this article. Some of the new capabilities include:
- Double Impact: The Clop ransomware creates a thread that terminates 1425 process non-stop in parallel to the encryption phase, in order to close their handles and encrypt their files. This is more than double the 663 processes reported in a January 2020 post. By terminating processes, Clop encrypts files that are associated with those processes.
- An Industrial Focus: Between January and mid-February, Clop hackers added approximately 95 Siemens programs, along with a number of processes that relate to other industrial vendors. Those are necessary for programs and communicate with PLCs.
- Disrupting Monitoring, Communication and Data Analytics: Clop terminates and encrypts OPC servers that are necessary for monitoring the plant and also terminate vital historian processes that store and analyze vital industrial data. Clop also kills HMI related processes. These communication breakdowns create chaos for operational teams and the plants they are trying to manage.
These new findings are proof that the Clop ransomware is being adjusted to target industrial companies, mainly those using popular Siemens products. On February 20, there was a report about a ransomware attack on Croatia’s largest gasoline station chain. Clop was the main suspect behind the attack.
Industrial Ransomware – A New Trend
When hackers threaten to attack an enterprise, such as a bank or insurance company, the stakes are much lower than factories. These organizations have backups and redundancy models that limit the amount of damage caused by downtime. Almost all data can be recovered and very little, if any, data is lost permanently. An attack on an enterprise is inconvenient at best, but it does not have the potential to cause catastrophic consequences in its wake.
In the world of industry, however, a slowdown or cessation of physical production lines can be devastating in terms of recovery, delay or termination of service, and could even translate into the loss of human lives. Hackers, while immoral, are intelligent and direct their energies where they can cause the most amount of damage, in the least amount of time, and extort the highest ROI.
The industrial world is an easy target for ransomware. Many industrial plants contain outdated systems and the factory personnel is less suspicious about attacks than in enterprise settings. In addition, the potential financial damage that might occur by crippling factories is enormous.
Using ransomware is a cost-effective way to paralyze manufacturing plants and to extort money. It doesn’t take a lot of development time, but it can have catastrophic, long term consequences. Clop is the second industrial oriented ransomware that we saw in the last two months, the first one being Snake/EKANS ransomware.
What’s Next
As technology advances, the industrial world understands the advantages of internet-connected environments. Yet, with more sophisticated and faster processes, comes a tremendous expansion of the attack surface which can be exploited by individuals, teams, or nation-backed hackers, with ransomware being one of the destructive tools of choice. Industry leaders need to be aware of these potential scenarios and take steps to prevent them.
OTORIO has developed RAM2 an OT Security solution and automated risk-based maintenance platform that continuously monitors the digital security posture of industrial networks and provides clear playbooks for mitigating cyber risks. Contact our experts to learn more about the solution.
Research Notes
Termination of 1425 Processes:
The Clop ransomware creates a thread that terminates 1425 processes non-stop in parallel to the encryption phase, in order to close their handles and encrypt their files.
Targeted ICS Siemens Processes
95 terminated Siemens processes, including network, OPC, TIA portal and Historian processes connected to Siemens:
CCARCHIVEMANAGER.EXE
CCTMTIMESYNCSERVER.EXE
CCCSIGRTSERVER.EXE
CCRTSLOADER_X64.EXE
SCSMX.EXE
SMARTSERVER.EXE
S7ASYSVX.EXE
CCALGRTSERVER.EXE
UM.RIS.EXE
CCWRITEARCHIVESERVER.EXE
GSCRT.EXE
CCUCSURROGATE.EXE
CCPROFILESERVER.EXE
CCPROJECTMGR.EXE
S7ACMGRX.EXE
SCORES7.EXE
WINCCEXPLORER.EXE
S7UBTSTX.EXE
CCREDUNDANCYAGENT.EXE
SCSDISTSERVICEX.EXE
HMIES.EXE
CCECLIENT_X64.EXE
SIEMENS.INFORMATIONSERVER.ISREADY.PLUGINSERVICE.EXE
CCTLGSERVER.EXE
S7WNSMGX.EXE
CCTEXTSERVER.EXE
CCPACKAGEMGR.EXE
IPCSECCOM.EXE
SIMNETPNPMAN.EXE
CCCAPHSERVER.EXE
HMRT.EXE
CCWATCHOPC.EXE
CCTMTIMESYNC.EXE
SDIAGRT.EXE
S7OPNDISCOVERYX64.EXE
ALMSRVBUBBLE64X.EXE
SIEMENS.INFORMATIONSERVER.DISCOVERSERVICEINSTALLER.EXE
REDUNDANCYCONTROL.EXE
WEBNAVIGATORRT.EXE
HMISMARTSTART.EXE
CCNSINFO2PROVIDER.EXE
SCOREPNIO.EXE
CCSSMRTSERVER.EXE
TRACESERVER.EXE
CCKEYBOARDHOOK.EXE
SCSFSX.EXE
S7TGTOPX.EXE
CCECLIENT.EXE
SCORESR.EXE
S7TRACESERVICE64X.EXE
CCREMOTESERVICE.EXE
CCRT2XML.EXE
SCOREDP.EXE
ALMPANELPLUGIN.EXE
S7XUTAPX.EXE
_SIMPCMON.EXE
CCLICENSESERVICE.EXE
S7XUDIAX.EXE
SIEMENS.INFORMATIONSERVER.SCHEDULER.EXE
S7AHHLPX.EXE
CCDELTALOADER.EXE
S7SYMAPX.EXE
PASSDBRT.EXE
TRACECONCEPTX.EXE
CCESERVER_X64.EXE
CCSYSTEMDIAGNOSTICSHOST.EXE
TOUCHINPUTPC.EXE
CCDBUTILS.EXE
CCDMRTCHANNELHOST.EXE
CCAEPROVIDER.EXE
S7UBTOOX.EXE
S7OIEHSX64.EXE
PNIOMGR.EXE
SCORECFG.EXE
CCAGENT.EXE
S7HSPSVX.EXE
S7EPASRV64X.EXE
S7WNRMSX.EXE
ALMSRV64X.EXE
S7O.TUNNELSERVICEHOST.EXE
SIM9SYNC.EXE
CCDMRUNTIMEPERSISTENCE.EXE
SSERVCFG.EXE
OPCUASERVERWINCC.EXE
S7WNSMSX.EXE
CCPERFMON.EXE
PDLRT.EXE
UM.SSO.EXE
CCPTMRTSERVER.EXE
CCESERVER.EXE
S7KAFAPX.EXE
REDUNDANCYSTATE.EXE
CCUCSURROGATE.EXE
HMIRTM.EXE
VISVIEW.EXE
Terminated Inray Industriesoftware GmbH processes
4 terminated processes of Inray Industriesoftware GmbH that provide routing between OPC Servers (and therefore any PLCs) and ERP databases or other business administration software:
OPCROUTER4SERVICE.EXE
INRAY.DATA.SQLLOCALDB.SERVICE.EXE
OPCROUTERCONFIG.EXE
OPCROUTER4SERVICE.EXE
Terminated Tani GmbH processes
3 terminated processes of Tani GmbH that relate to Tani GmbH OPC server:
ENGINELOGGERI64.EXE
PLCENGINEI64.EXE
CONFIGSERVERI64.EXE
Terminated OPC foundation processes
2 terminated processes of OPC foundation:
OPC.UA.DISCOVERYSERVER.EXE
OPCUALDS.EXE
Attempts to Uninstall Antivirus Software:
Clop tries to identify and delete McAfee, ESET, and Malwarebytes, as these antivirus programs can prevent it from encrypting the disk. It tries to uninstall both McAfee and ESET using MsiExec:
The uninstallation process of Malwarebytes is different, as it tries to use the uninstaller located at “C:\Program Files\Malwarebytes\Anti-Ransomware\”.
It opens the window named “Malware Anti-Ransomware Uninstall” and clicks the yes button.
Mutex:
Mutex is a common malware strategy that makes sure there is only a single occurrence of it on the system.
Encrypts files with 2019 or 2020 as the last write time:
Clop checks the last time when a file was written, and only encrypts files that were modified during 2019 and 2020. We assume it encrypts those files because they were modified recently which means they are likely to be more valuable to the owner.
Clop Ransomware Note
IOCs
Hash:
09ab880f3021ac2d05e09bebd567ddf5f6f7cfb396573efd819a056931f3b391
Ransom note resource name:
RC_DATABIGBACK
Ransom note resource hash:
2e893da12346731f67d7b148c882e68b400536712a1a63e33585e3a3c900d8e6
Resource xor key:
GKJhdsjlkfj328ruidkaofj832iqokdwasjkxasie98u21043e2qufwjsamdiu32yruidasyd7uiu2i4yrewuisa
Ransome note file name:
Cl0pReadMe.txt
Ransome emails:
[email protected]
[email protected]
[email protected]
Mutex:
LifeBeHappy#-#-#666^_-
Public key used:
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFq9EiVHQMw1ebuSLm1+FY21RO
lFUTliGv9dkQIIhg331cfgTCT8e7oEd3i/9OikEr5b+oTpS+clr2j1YSSsaRq6Cn
dxA7LEu2hIwQC8mhz1zBt1K2LvrRq9e9VuZUKzdTltm08pU3/RstvvsfHZJFaxVb
fw4seh8SRxwjmJvkAwIDAQAB
-----END PUBLIC KEY-----
Protect Against Clop
Yara rule can be implemented in your AV/EDR to protect against Clop variant:
rule Clop_hash_func
{
meta:
Author = "OTORIO"
Reference = "https://www.otorio.com/"
Description = "Hashing function found in Cl0p malware"
strings:
$a = { 55 8B EC 83 EC 08 C7 45 FC 00 00 00 00 8B 45 08 89 45 F8 8B 4D F8 0F B7 11 85 D2 74 28 8B 45 FC C1 E0 07 8B 4D FC C1 E9 19 0B C1 89 45 FC 8B 55 F8 0F B7 02 33 45 FC 89 45 FC 8B 4D F8 83 C1 02 89 4D F8 EB CE 8B 45 FC 8B E5 5D C3 }
condition:
any of them
}
Recent Posts
25 Mar 2024
29 Jan 2024