A new variant of the CryptoMix Clop ransomware family claims to target entire networks instead of individual users’ machines.
Security researcher MalwareHunterTeam discovered the variant near the end of February 2019. In their analysis of the threat, they noticed that the ransomware came equipped with more email addresses than previous versions of CryptoMix Clop. They also noted that those responsible for the crypto-malware applied slight variations to their creation’s extension.
Signed & low detected (as usual), yesterday evening build of CryptoMix Clop ransomware sample: https://t.co/20KMkc3S9X
Again some changes in the note, and now it has 3 email addresses…
Also, new mutex and "messages" too.
cc @VK_Intel pic.twitter.com/1wv5zJTRNB
— MalwareHunterTeam (@malwrhunterteam) February 26, 2019
In its analysis of the new variant, Bleeping Computer observed that executables code-signed with a digital certificate were responsible for distributing the ransomware. This tactic gives the threat a sense of legitimacy, including in the eyes of some digital security software solutions.
Once executed, the variant begins by terminating various Windows services and processes. Doing so enables CryptoMix Clop to disable anti-virus software running on the computer. It also helps it close all files, thereby placing them in a state where they are easy to encrypt.
Lawrence Abrams, creator and owner of Bleeping Computer, discovered another interesting facet of the CryptoMix Clop variant at this stage in the infection process. As he explains in a blog post:
Another item noticed by BleepingComputer in this variant is that it will create a batch file named clearnetworkdns_11-22-33.bat that will be executed soon after the ransomware is launched. This batch file will disable Windows’s automatic startup repair, remove shadow volume copies, and then resize them in order to clear orphaned shadow volume copies.
The ransomware then encrypts the victim’s files and appends the .Clop or .CIop extension to each affected file. Finally, it creates a ransom note notifying the victim that “All files on each host in the networks have been encrypted with a strong algorithm.” It’s unclear whether the variant can actually affect an entire network at this time as it lacks the ability to self-propagate. Even so, Abrams noted that the ransomware could still propagate manually across a network by abusing Remote Desktop Services.
Victims of the new CryptoMix Clop variant currently have no means to decrypt their files for free. As a result, organizations should focus on preventing a ransomware infection in the first place. They should also think about protecting their networks by systematically testing their defenses.