Records are made to be broken. Unfortunately, the Cryptomix Clop ransomware operators have stepped up in October to a ransomware industry record. They’ve demanded a 20+ million dollar ransom from one of the largest software companies in the world1. This incredible ransom amount is one of the highest ever noted for ransomware-based extortion. This is not new behavior. Since early 2019 the Clop gang has been attacking large enterprise companies in the US, Germany, India, Mexico, Russia, and Turkey.
Despite such a massive extortion attempt, the victim company has decided not to pay the ransom and recover their data using offsite copies and backups. In response, the Clop threat actors then started to release the victim firm’s confidential information and post it publicly on the web. The Clop threat actors posted some of the victims’ data on a website operated on the dark web.
This is the new modus operandi of many threat actors that utilize ransomware. The first point of pressure is the encryption of data – your enterprise operations cannot get to critical data and hence cannot conduct business. Perhaps you can recover your data via backups and, in some acceptable period of time, restore business operations.
The second point of pressure is the release of your data to “leak sites” in the public domain. Once the information is posted, the threat actors notify journalists so that the material can receive public exposure. This can cause loss of reputation, customer loss, compromise of your future business and product plans, and more. This pain can also be applied incrementally – every day or every week, a new piece of confidential information can be compromised and posted publicly.
Also, note the Treasury Department OFAC’s recent notice2 on possible financial penalties for making or facilitating payments to sanctioned parties; you could face double jeopardy. Incredibly, your enterprise might suffer the pain of ransom payments. And then perhaps you, or other parties you work with on arranging payment of the ransom, might also face the financial penalties associated with the sanctions violations3.
Anatomy of the Attack
Clop is a relatively new and dangerous variant of CryptoMix ransomware, which we covered in an earlier threat report4. At that time, our cyber intelligence community detected a new CryptoMix ransomware campaign that exploited real stories of children diagnosed with cancer. The campaign pretended to represent a real children’s charity and alleged that the victim’s ransom payment was for a good cause. This was not the first time a CryptoMix campaign used a theme pertaining to sick children, but this was the first to use real photos and stories. Additionally, unlike previous campaigns, the ransomware was not delivered by email but deployed after networks were breached in a remote desktop protocol (RDP) brute force attack.
Upon execution, Clop ransomware begins terminating selected Windows processes and services. Clop can also disable anti-virus software running on the computer. This technique also helps Clop close all files so that they can be more easily encrypted. Per Bleeping Computer, the malware exhibits digitally signed executables in an attempt to appear legitimate. The malware also creates a batch file that is designed to disable Windows startup repair and also remove any shadow volume copies. The newest variants, first found in December 2019 by MalwareHunterTeam, kill the 663 Windows processes. This includes Windows 10 apps, terminal programs, editors, programming tools and languages, debuggers, and more.
In the endgame, Clop appends the “.Clop” extension to each file and then leaves a ransom note, “ClopReadMe.txt,” in each folder. The Clop ransomware uses the RSA encryption algorithm and keeps keys stored on a remote and hidden server controlled by the Clop threat actors.
Clop Threat Actors May Also Use DNS Fast Flux Attack
There is some speculation that the Russian TA505 group may be the primary threat actor behind the Clop attacks5. TA505 also goes by the name Hive00656. Upon review of their profile in MITRE ATT&CK, I noted that they had used fast flux to mask botnets by distributing payloads across multiple IPs. The specific technique in MITRE ATT&CK is Enterprise T1568.001.
Per MITRE, “Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it, which are swapped with high frequency, using a combination of round-robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.”
The simplest, “single-flux” method involves registering and deregistering addresses as part of the DNS A (address) record list for a single DNS name. These registrations have a five-minute average lifespan, resulting in a constant shuffle of IP address resolution. In contrast, the “double-flux” method registers and de-registers an address as part of the DNS Name Server record list for the DNS zone, providing additional resilience for the connection. With double-flux, additional hosts can act as a proxy to the C2 host, further insulating the true source of the C2 channel.”
There are several threat researchers that have tied TA505 to Clop deployment. As of today, MITRE ATT&CK does not show in the TA505 group profile that the threat group uses Clop ransomware, so, once again, this relationship is under investigation and review as the white hats continue to track Clop activity worldwide.
DNS is a Critical Control Plane to Stop Ransomware and Fast Flux Attacks
Most types of malware must utilize DNS at one or more points in the attack chain. It is used for initial delivery as the victims make DNS queries for the IP address, which is part of the attack. DNS will also be used in the email delivery process and when ransomware propagates via spam campaigns. The exploitation phase may involve DNS queries when the victim’s system is compromised and infected. DNS is almost always used when an infected system communicates with the command and control (C2) server.
BloxOne Threat Defense uses DNS as a choke point to disrupt ransomware. Threat intelligence (malicious hostnames, domains, IP addresses) in DNS servers can often detect and block command and control (C&C) communications to malicious destinations automatically using a DNS Firewall Response Policy Zone (RPZ). Using behavioral analytics and machine learning on real-time DNS queries enables advanced threats such as zero-day DNS tunneling, data exfiltration, DGA, and Fast Flux to be detected and stopped.
In addition, Infoblox DDI data has valuable information about device activity and actionable network context (like what type of device it is, where it is in the network, who it is assigned to, lease history). This information can be used for deep visibility into ongoing attacks and for remediation strategy. Integrating DDI data with SIEM and SOAR infrastructure is critical to threat detection and incident response. When Infoblox detects something malicious, a new device, or virtual workload on the network, it automatically shares that event information and context with existing security infrastructures like endpoint EDR, SIEM, SOAR, vulnerability scanners, and NAC solutions. This data may trigger the security tools to either scan the device for vulnerabilities or prevent access to the network until it is deemed compliant with policy.
Learn more about Cryptomix and other dangerous malware variants:
Learn more about how we can help – more information on reducing the risk of ransomware: https://www.infoblox.com/resources/videos/the-role-of-dns-instrumentation-and-dns-data-in-fighting-ransomware/
If you want to know more, please reach out to us directly via firstname.lastname@example.org.