CLOP Ransomware breached data of India bulls: A Case Study

Indiabulls CLOP ransomware case

Ransomware is a category of self-propagating malware that uses encryption techniques to keep the victims’ data ransom, has emerged in recent years as one of the foremost and complicated cyber threats, with widespread damage; e.g., zero-day ransomware WannaCry has caused the world-wide catastrophe, from shutting down a Honda Motor Company in Japan to knocking U.K. National Health Service hospitals offline.

Indiabulls Group of Companies, a diversified Finance Company with a net worth of more than Rs. 28,580 crore, has been reportedly breached by CLOP Ransomware operators. These operators, as per the report, claim to possess stolen data that has four spreadsheets associated with Indiabulls Housing Finance Limited subsidiaries and Indiabulls Pharmaceuticals, among other files. Till now, CLOP Ransomware operators have uploaded six screenshots of stolen files and asked Indiabulls to contact them in 24 hours.

Clop ransomware was discovered by Michael Gillespie on 8 February 2019 and it is still spreading over time. The primary goal of Clop is to encrypt all files in an enterprise database and request a ransom to receive a decryptor/key to decrypt all the affected files.

 

Where did Clop ransomware come from?

CIop ransomware is part of the CryptoMix family which runs on Microsoft Windows and it was discovered by Malware Hunter Team. The meaning of the word clop means a bug in Russia. This ransomware is aimed at attacking the entire network rather than any individual system.

When Clop was discovered in February 2019, all indicators showed that it was a new CryptoMix with .CLOP (dot ‘CLOP’) or .CLOP extension tagged onto encrypted files. Since this discovery, the ransomware operators behind Clop have steadily been developing it to manoeuvre beyond the shadow of merely being a variant of CryptoMix.

Read also:  Cryptography : A Dive into The Encryption World

 

What’s inside a Clop Ransomware?

The Clop ransomware is typically packed to cover its inner workings. This malware is prepared to avoid running under certain conditions, for example in the first version it requests to be installed as a service; if that will not succeed, it will terminate itself.

Authentication code

Image:- Packer signed to avoid av programs and mislead the user

Signing a malicious binary, in this case, ransomware may trick security solutions to trust the binary and let it pass.

For more information about analysis of this ransomware, please visit https://www.joesandbox.com/analysis/196971/0/html

 

How does it work?

Transmission

Clop is distributed using executables that have been code-signed with a digital signature. Doing so makes the executable appear more legitimate and might help to bypass security software detections.

Transmission of CLOP files

 

 

Other modes of transmission

  • Email attachments
  • Pirated Softwares
  • Unprotected wireless networks e.g. public wifi, etc.

 

Infection of clop ransomware

In its analysis of the new variant, Bleeping Computer observed that executables code-signed with a digital certificate were liable for distributing the ransomware. This tactic gives the threat a way of legitimacy, including in the eyes of some digital security software solutions.

Once executed, the variant begins by terminating various Windows services and processes. Doing so enables CryptoMix Clop to disable anti-virus software running on the pc. It also helps it close all files, thereby placing them in a state where they are easy to encrypt.

Another item noticed by Bleeping Computer in this variant is that it’ll create a batch file named clearnetworkdns_11-22-33.bat which will be executed soon after the ransomware is launched. This batch file will disable Windows’s automatic startup repair, remove shadow volume copies, then resize them so as to clear orphaned shadow volume copies.

Read also:  How to Land a Job in Cyber Security amid Covid-19 crisis

The ransomware then encrypts the victim’s files and appends the .CLOP or .CIop extension to each affected file. Finally, it creates a ransom note notifying the victim that “All files on each host in the networks have been encrypted with a robust algorithm.” It’s unclear whether the variant can actually affect a complete network at this point because it lacks the flexibility to self-propagate. Even so, Abrams noted that the ransomware could still propagate manually across a network by abusing Remote Desktop Services.

Penetration of files

 

It will first stop numerous Windows services and processes in order to disable antivirus software such as Windows Defender and Malwarebytes. and close all files so that they’re ready for encryption. To disable Windows Defender, it configures various Registry values that disable behaviour monitoring, real-time protection, sample uploading to Microsoft, Tamper Protection, cloud detections, and antispyware detections.

In addition to Windows Defender, Clop is also targeting older computers by uninstalling Microsoft Security Essentials. As Clop is run with administrator privileges by the attackers, this command will remove the software without a problem:

cmd.exe /C "C:\Program Files\Microsoft Security Client\Setup.exe" /x /s

To remove Malwarebytes, it uses the following command:

C:\Program Files\MalwareBytes\Anti-Ransomware\unins000.exe /verysilent /suppressmsgboxes /norestart

 

Newer versions of Clop can terminate a total of 663 processes, which include new Windows 10 apps, popular text editors, debuggers, programming languages, terminal programs, and programming IDE software.

Some of the more interesting processes that are terminated include the Android Debug Bridge, Notepad++, Everything, Tomcat, SnagIt, Bash, Visual Studio, Microsoft Office applications, programming languages such as Python and Ruby, the SecureCRT terminal application, the Windows calculator, and even the new Windows 10 Your Phone app.

Read also:  Is WhatsApp safe anymore? | Way out of Privacy policy update of Whatsapp in 2021

It will then create a batch file named clearnetworkdns_11-22-33.bat that will be executed soon after the ransomware is launched. This batch file will disable Windows’s automatic startup repair, remove shadow volume copies, then resize them so as to clear orphaned shadow volume copies.

The ransomware will then begin to encrypt a victim’s files. When encrypting files it’ll append the .Clop or .CIop extension to the encrypted file’s name.

It will also create a ransom note named CIopReadMe.txt that is now indicating that they’re targeting a complete network rather than an individual computer. The ransom note said the following:

Ransom note by CLOP

This ransom note also contains the emails [email protected], [email protected], and [email protected] that can be used to contact the attackers for payment instructions.

 

Files encrypted by CLOP

Screenshot of files encrypted by Clop

 

How to prevent a ransomware attack?

  • Make sure to back up your important files on a regular basis on a separate hard drive or on the cloud.
  • Avoid opening attachments that look suspicious.
  • Patch and keep updated your operating system, antivirus, browsers, Adobe Flash Player, Java, and other software.

 

Should you pay the ransom?

No. In most cases, you shouldn’t pay the ransom. To me, the prevention of ransomware and backup and recovery options available today are the priority. Do the work now to prevent and protect data from ransomware, so having to pay the ransom isn’t ever an option.

Go online to see if a decryption tool exists. If keys for this attack already exist, there’s no need to pay. Sometimes, when the police and security experts investigate cybercriminal activity, they can potentially obtain decryption keys from malicious servers and share them online. Here are some of them:

 

3 Replies to “CLOP Ransomware breached data of India bulls: A Case Study”

Leave a Reply

Your email address will not be published. Required fields are marked *