CB TAU Threat Intelligence Notification: CryptoMix Clop Ransomware Disables Startup Repair, Removes & Edits Shadow Volume Copies

2019-03-28T14:52:32
ID CARBONBLACK:5B80BE932965AB46A744F2127EA7792C
Type carbonblack
Reporter Ryan Murphy
Modified 2019-03-28T14:52:32

Description

Summary

A wew variant of CryptoMix Clop ransomware has been distributed as a binary that is digitally signed and verified which makes it look like a legitimate executable. In addition, CryptoMix Clop ransomware will append ‘.clop’ or ‘.ciop’ as a file extension to the encrypted file and drop a ransom note named as “CIopReadMe.txt” as shown in the following screenshot.

mix2.png___Figure 1: Screenshot of ransom note_

Behavioral Summary

Upon execution, CryptoMix Clop ransomware will create and execute a batch file named ‘clearnetworkdns_11-22-33.bat’ to disable automatic startup repair, remove shadow volume copies and also resize them to clear out orphaned shadow volume copies.

mix7.png__

Figure 2: Screenshot of ‘clearnetworkdns_11-22-33.bat’

Below are the events from CB ThreatHunter showing that CryptoMix Clop ransomware has encrypted files and appended ‘.ciop’ as the file extension, then deletes the original files.

mix1.png__

Other than that, CB Defense will display the process carrying out by the ransomware and their overall triggered TTPs. It also showing the binary was digitally signed and verified.

mix4.pngmix6.pngmix5.png__

If you are a Carbon Black customer and looking for more information on how CB products defend against this attack, click here.

Remediation:

MITRE ATT&CK TIDs

TID

|

Tactic

|

Description

---|---|---

T1107

|

Defense Evasion

|

Shadow Copy Deletion By WMIC Or VSSAdmin

T1067

|

Persistence

|

BCDEdit Or BCDBoot Use

T1059

|

Execution

|

Command-Line Interface

Indicators of Compromise (IOCs)

Indicator

|

Type

|

Context

---|---|---

a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02

a04eb443870896fbe9a0b6468c4844f7

|

SHA256

MD5

|

CryptoMix Clop Ransomware

2ceeedd2f389c6118b4e0a02a535ebb142d81d35f38cab9a3099b915b5c274cb

f21146030cbe2ebe5a8e3fd67df8e8f3

|

SHA256

MD5

|

CryptoMix Clop Ransomware

0d19f60423cb2128555e831dc340152f9588c99f3e47d64f0bb4206a6213d579

738314aa6e07f9a625e4774ac1243a79

|

SHA256

MD5

|

CryptoMix Clop Ransomware

The post CB TAU Threat Intelligence Notification: CryptoMix Clop Ransomware Disables Startup Repair, Removes & Edits Shadow Volume Copies appeared first on Carbon Black.