Clop Ransomware Cripples Windows Security Tools and Other AVs

Security researchers have discovered a new strain of the Clop ransomware that renders security tools such as and Windows Defender useless Malwarebytes Anti-Ransomware. 

Clop Ransomware is a variant of the CryptoMix ransomware family initially discovered by security researchers in February 2019. Like most ransomware, Clop aims to encrypt the files in a target system and demand a ransom to restore the compromised data. However, security researcher Vitali Kremez discovered a new, more pervasive strain of Clop that attempts to disable Windows Defender and other anti-ransomware programs.

2019-06-03: #CryptoMix #Clop #Ransomware #Signed👾
Sign -> [FLOWER DELI LTD]🔏
Newer => Process Killer & Uninstaller CheckMAL soft
+2 XOR keys per each encoded resource blob now🤔
🚫Avoids Former USSR
h/t @malwrhunterteam
📔Pushed RE notebook w/ notes ->https://t.co/4kCcy7aujy pic.twitter.com/Jnj9ygzU7T

— Vitali Kremez (@VK_Intel) June 5, 2019

Clop Ransomware has been involved in a number of recent cyberattacks, including the ones against the Hospital Center University De Rouen and the University of Antwerp in Belgium. It is also believed that the Russian hacker group TA505 has been using Clop in recent ransomware campaigns.

Designed to Bypass Windows Security and other AntiVirus

Previous versions of Clop ransomware also attempted to disable multiple antivirus products. This new variant, however, systematically targets various aspects of Windows' security system. 

According to Kremez, Clop ransomware runs a small program before initiating its encryption process on the infected Windows machine. This program would change registry keys to prevent behavior monitoring, real-time protection, as well as some other security processes to deactivate Windows Defender. 

The focus on Windows' security software is likely based on the assumption that most users will use Windows Defender since it comes included with the system, making it their first line of defense. Kremez also noticed that Clop attempts to attempt to uninstall other anti-malware software such as Microsoft Security Essentials, CHECKMal, and Malwarebytes.

Clop ransomware isn't the first malware that targets Windows Defender. In July, this year, security researchers found a new variant of the TrickBot banking Trojan, which was also trying to disable security services and processes related to Windows Defender.

This came just before they also reported about the Gootkit banking trojan. Gootkit would use UAC bypass and WMIC commands so that Windows Defender was unable to analyze the executable file that triggered the malware. There was also the Novter malware that disables Windows Defender using PowerShell. It was also able to change Windows Update settings.

Clop Ransomware’s Infection Vector and Encryption Method

Clop ransomware is usually spread through phishing emails containing malicious attachments embedded in macro scripts. However, some variants of Clop are also capable of spreading across an infected machine's network.

Before beginning its encryption, Clop ransomware will use the "GetTextCharset" function to check if the infected system's keyboard's layout is set to the Russian or any other language used in former USSR nations. If the language returned by the function includes any of these whitelisted languages, Clop will delete itself from the system. 

Figure 1.2 Detecting Keyboard Layout 

Here we can see the clop rusing switch statements to confirm the keyboard layout of the targeted computer. Source: https://twitter.com/VK_Intel

Otherwise, the malware will begin a process to enumerate all files in the system and encrypt them with random AES keys, which will then be locked by a master RSA key. Encrypted data will have '. Clop' extension appended to them. While this varies between Clop variants, the ransomware usually targets files ending with the following extensions:

After encrypting the victim's files, Clop delivers a ransom note, wh[]ich is named 'ClopReadMe.txt' and signed with 'Dont Worry C|0P'. The note contains the following message:

Windows Users can Still Protect Themselves from Clop

The only good news about victims of Clop ransomware is that Windows 10 machines could be protected. Security researchers have found that when Clop is present in Windows 10 computers with Tamper Protection enabled, the registry values are reset back to their default configuration, and Windows Defender has activated again. Yet, considering the malware evolution these days, there is no guarantee that Clop ransomware won't evolve even more during the next year. 

Security professionals should consider investing in a good security awareness training program to better defend themselves – and their organization – against the Clop ransomware. Educating staff about the dangers of malware and best practices to avoid it can help to prevent phishing campaigns and hacks before they have a chance to begin. Stay vigilant and remember that prevention is always better than the cure when it comes to viruses and ransomware.