Cl0p Ransomware Victim Count Continues to Climb at an Alarming Rate
In 2019, Cl0p Ransomware surfaced as a Ransomware-as-a-Service (RaaS) model and became notorious due to its advanced techniques. Its main target was larger organizations with an annual income of USD 5 million or higher. The Threat Actors (TAs) infiltrate the targeted systems and encrypt the files, demanding a ransom to be paid in exchange for the decryption key.
Cl0p Ransomware is a successor to CryptoMix ransomware, which is believed to have originated in Russia and is frequently used by various Russian affiliates, including FIN11. This group is known for its attacks on various organizations and institutions, including universities, government agencies, and private companies. Like other ransomware groups, Cl0p’s main objective seems to be financial gain, which they achieve through the double extortion strategy.
Using this approach, TAs exfiltrate sensitive information first and then encrypt it. If the victim refuses to pay the ransom, the attackers threaten to disclose the data on their dark web leak site. This puts extra pressure on the victim to pay the ransom to prevent the release of their sensitive information.
Figure 1 illustrates the geographical distribution of Cl0p ransomware victims since January 2023, with a total of 104 victims worldwide.
The Cl0p ransomware gang aims to victimize a broad range of targets, including IT & ITES, BFSI-focused entities, Healthcare providers, Professional Services, and Government organizations.
The figure below shows the industries targeted by Cl0P Ransomware.
The United States appears to be the primary target of the Cl0p ransomware group, with a significant number of their victims located in this country, as illustrated in the figure below.
Cl0p Ransomware spreads through various methods, such as phishing emails that contain harmful attachments or links, unprotected RDP, and exploit kits. Once it infects a computer, it promptly begins encrypting files and presenting ransom notes that demand payment in exchange for the decryption key.
The analyzed malware sample is an executable file with a Graphical User Interface (GUI), compiled using Microsoft Visual C/C++. It has a SHA 256 hash value of “46cd508b7e77bb2c1d47f7fef0042a13c516f8163f9373ef9dfac180131c65ed”, as illustrated in the accompanying figure.
Upon initial analysis, it was observed that the Cl0p Ransomware could be launched using three distinct methods:
- Executing it with the runrun parameter, which would solely encrypt the network drives.
- Using a file “temp.ocx“ as a parameter that contains a list of the files to be encrypted
- Launching it without any parameters, which would encrypt all local and network drives.
The image below depicts how the malware verifies the conditions mentioned earlier.
Encrypting network drives
When the Ransomware is launched with the runrun parameter, it creates two threads. The first thread is assigned to scan all network shares, such as network file managers, backup applications, or printer management tools, and encrypt files in them. To execute this task, it uses the typical API functions of the module “MPR.DLL”:
If the malware cannot enumerate the network shares, it closes the current thread handle and creates a second thread. The second thread is designed to retrieve the path to the user’s Outlook, Word, or Office folders using the SHGetSpecialFolderPathW() function. Afterward, the retrieved path undergoes an encryption process, which is described in subsequent sections.
Encrypting specific files passed as a parameter via “Temp.ocx”
When the Ransomware is launched using the temp.ocx parameter, it initially checks if the length of the command line argument is more than 5 characters and whether the argument contains the string “temp.ocx“.
If this condition is true, the code tries to open the file mentioned in the command line argument in UNICODE mode for reading.
If the file is opened successfully, it creates a new thread for encrypting the files specified in “temp.ocx”.
The figure below shows Cl0p Ransomware’s code using a specific file name as an argument.
Encrypting all files and network drives
When Ransomware is launched without any parameters, the code first checks whether it can be installed as a service. If the installation fails, the code will terminate itself.
The figure below illustrates how the ransomware checks for the condition of running as a service.
Once it verifies that it can run as a service, the Cl0p Ransomware generates a mutex, which is an object used for locking and preventing multiple threads from writing to shared memory concurrently.
This measure is intended to prevent the victim from being reinfected. The mutex is hardcoded into the binary with the name “)(%QU#jimf0932ijrkpo32jr3lfwe“, as shown in the figure below.
At this stage, the malware employs a multi-threaded approach where the first thread generates a comprehensive list of all active processes on the system and converts their names to uppercase. It then proceeds to compare each process name with “EXPLORER.EXE.” If the malware finds a match, it utilizes the OpenProcess function to obtain a handle for the access token for that process.
The malware utilizes the token handle to retrieve the username associated with it. It then creates a new process and primary thread under that user’s security context, passing a command-line argument runrun.
During this process, the malware ensures that network drives are also encrypted. As mentioned earlier, running Cl0p Ransomware with runrun as an argument will encrypt the network drives.
The figure below shows the code for process name comparison.
Once the new process is created successfully, the malware proceeds to import a public key from a string representation into a Cryptographic Service Provider (CSP) for encryption purposes.
The process of importing public key information into the CSP is illustrated in the figure below.
The next step of Cl0p Ransomware infection involves scanning through all the drive letters available on the system, beginning from A to Z. The malware utilizes the GetDriveTypeW() function to determine the type of drive associated with each letter, such as fixed, removable, or network drives.
Upon identifying the drive type, the Ransomware creates a new thread through the CreateThread API. It transfers the drive letter as a parameter to the thread function responsible for the infection process.
The figure below depicts the new thread creation.
The Ransomware contains a hardcoded list of extensions to exclude from encryption, as shown in the below table:
The Ransomware first checks for the presence of any previous Cl0p infections on the system by comparing all the files in a designated folder with the filename of the ransom note. If no such files are present, it then drops the ransom note into the folder with the filename “!_READ_ME.RTF“.
The ransom note itself is encrypted and stored in the resource section. However, before it is placed in the folder, it is decrypted using an XOR algorithm. The figure shows both the encrypted content in the file’s resource section and the decryption loop in the binary.
The Cl0p Ransomware has a file size-based approach to choose the best method for encrypting files. Small files are not encrypted, and the Ransomware uses the ReadFile and WriteFile API functions for encrypting medium-sized files.
The larger files are apparently encrypted using the CreateFileMappingW, MapViewOfFile, WriteFile, and UnmapViewOfFile API functions.
To encrypt each file, the Ransomware generates a 0x75 bytes RC4 key using a Mersenne Twister PRNG (MT19937) algorithm and checks its validity by ensuring the first five bytes are NULL.
Finally, the Ransomware encrypts the generated RC4 key using the RSA public key and stores it in a file with the format “filename.extension.C_l_0P”.
The Ransomware now begins encrypting the files in the victim’s machine. The data is encrypted using the RC4 encryption algorithm. The figure below shows the file’s encrypted content starting from the address 4000h.
The Cl0p ransom note includes contact details of TAs that victims can use to negotiate a ransom payment to recover their files. It also contains an Onion URL leading to the leak site page.
The figure below shows the Cl0p Ransomware ransom note.
The below figure shows the leak site of the Cl0p ransomware gang.
Security researchers have recently discovered that Cl0p Ransomware is now targeting Linux systems. Fortunately, this new variant of Ransomware has a flawed encryption algorithm, which is good news for victims because it means they can recover their encrypted files without paying a ransom.
Although the Linux variant of Ransomware is specifically designed for this operating system, the fundamental logic behind it remains the same as the Windows variant.
With its various versions, Cl0p Ransomware has the ability to infect both Linux and Windows operating systems. This malware is among many other ransomware types found on the surface web that deploy a strong encryption algorithm to encrypt user files and leave ransom notes containing instructions on recovering the encrypted data.
In a brief span of time, there have been numerous attacks that have targeted various industries across the world. We anticipate that there will be more attacks in the future by Cl0p Ransomware.
Safety Measures Needed to Prevent Ransomware Attacks
- Conduct regular backup practices and keep those backups offline or in a separate network.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
Users Should Take the Following Steps After the Ransomware Attack
- Detach infected devices on the same network.
- Disconnect external storage devices if connected.
- Inspect system logs for suspicious events.
- A decryption tool for the Linux variant is available on GitHub
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|External Remote Services|
|Command and Scripting Interpreter |
|System Information Discovery |
Network Share Discovery
File and Directory Discovery
|Impact||T1486||Data encrypted for impact|
Indicators of Compromise (IOCs)