Next Article in Journal
Denoising Diffusion Implicit Model for Camouflaged Object Detection
Previous Article in Journal
Processing the Narrative: Innovative Graph Models and Queries for Textual Content Knowledge Extraction
Previous Article in Special Issue
Phishing Webpage Detection via Multi-Modal Integration of HTML DOM Graphs and URL Features Based on Graph Convolutional and Transformer Networks
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Electronics
Volume 13
Issue 18
10.3390/electronics13183689
electronics-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles thumb_up
...
Endorse textsms
...
Comment
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Clop Ransomware in Action: A Comprehensive Analysis of Its Multi-Stage Tactics

by
Yongjoon Lee
1,†,
Jaeil Lee
2,†,
Dojin Ryu
1,
Hansol Park
3,4 and
Dongkyoo Shin
3,4,5,*
1
Department of Hacking Security, Far East University, Eumseong-gun 27601, Republic of Korea
2
Smilegate Holdings, Seongnam-si 13493, Republic of Korea
3
Department of Computer Engineering, Sejong University, Seoul 05006, Republic of Korea
4
Department of Convergence Engineering for Intelligent Drones, Sejong University, Seoul 05006, Republic of Korea
5
Cyber Warfare Research Institute, Sejong University, Seoul 05006, Republic of Korea
*
Author to whom correspondence should be addressed.
These authors contributed equally to this work.
Electronics 2024, 13(18), 3689; https://doi.org/10.3390/electronics13183689
Submission received: 22 July 2024 / Revised: 10 September 2024 / Accepted: 14 September 2024 / Published: 17 September 2024
(This article belongs to the Special Issue Network Security and Cryptography Applications)
Browse Figures
Versions Notes

Abstract

:
Recently, Clop ransomware attacks targeting non-IT fields such as distribution, logistics, and manufacturing have been rapidly increasing. These advanced attacks are particularly concentrated on Active Directory (AD) servers, causing significant operational and financial disruption to the affected organizations. In this study, the multi-step behavior of Clop ransomware was deeply investigated to decipher the sequential techniques and strategies of attackers. One of the key insights uncovered is the vulnerability in AD administrator accounts, which are often used as a primary point of exploitation. This study aims to provide a comprehensive analysis that enables organizations to develop a deeper understanding of the multifaceted threats posed by Clop ransomware and to build more strategic and robust defenses against them.

1. Introduction

Clop ransomware systematically targets and exploits Active Directory (AD) servers, which are critical for managing user and computer permissions within various institutional and corporate networks. Such ransomware harms institutions and businesses by causing widespread damage and making recovery efforts difficult. Additionally, ransomware is uniquely designed to prevent system encryption in specific regions [1,2].
According to recent research and reports from around the world, including South Korea, ransomware attacks in the second quarter of 2023 were confirmed to have more than doubled compared to the same period last year [3]. According to the ‘Kara Ransomware Trend Report’ published by Shields Communication Group, there were 1311 ransomware attacks this quarter, an increase of 112% compared to the same period last year and 40.5% compared to the previous quarter. This significant upward trend is believed to be largely due to the aggressive activity of emerging ransomware groups, particularly Clop, which launched widespread attacks in May 2023 by exploiting vulnerabilities in the MOVEIt Transfer software (version 15.0 and earlier, CVE-2023-34362) file transfer software. MOVEIt is a managed file transfer (MFT) solution that is widely used in enterprise environments to securely transfer data between systems. The exploitation of vulnerabilities in MOVEIt allowed Clop ransomware to gain unauthorized access to sensitive files and spread within the network, further exacerbating the damage caused by the attack [4,5,6,7].
This study aims to decipher the attackers’ advanced techniques and strategies through an in-depth analysis of the multi-step behavior of Clop ransomware [8]. In particular, vulnerabilities in AD administrator accounts, which are frequently exploited as key entry points, are identified [9]. By providing a comprehensive analysis, organizations are helped to thoroughly understand the multifaceted threat posed by Clop ransomware and to design more strategic and robust defenses [10].
To achieve the objective, this study will use a mixed methods approach. Quantitative data analysis is used to identify general patterns and trends in Clop ransomware attacks, while qualitative case studies provide deeper insight into specific incidents. This integrated approach provides a holistic view of the Clop ransomware threat landscape and helps develop effective countermeasures [11,12].
The organization of this paper is as follows: Section 2 discusses the characteristics of Clop ransomware, Section 3 is dedicated to the analysis of Clop ransomware hacking attacks, Section 4 presents countermeasures against Clop ransomware discovered through analysis, and finally, the study is concluded in Section 5.

2. Methodology

This study utilizes both qualitative and quantitative research methods to analyze Clop ransomware. Data was collected from various sources, including actual ransomware samples, public and private security reports, and simulated environments. The screenshots presented in this paper were obtained through controlled experiments conducted in a secure lab environment where Clop ransomware was executed in isolated systems. These systems were designed to mimic real-world enterprise environments, allowing for the capture of detailed information regarding the ransomware’s behavior at each stage of its attack lifecycle. Additionally, the study analyzes data from real-world incidents reported by cybersecurity organizations to provide a comprehensive understanding of Clop’s impact.

3. Attack Characteristics of Clop Ransomware

Clop ransomware is generally known to target and attack AD servers, which are important for managing important resources of organizations such as institutions and companies. Unlike traditional ransomware, which displays cryptocurrency wallet addresses, Clop ransomware warns users that their system is infected and then provides an email address for potential negotiations. This systematic targeting allows Clop ransomware to exact a large portion of institutional and corporate systems as ransom [13,14].
A characteristic of Clop ransomware is that it renames encrypted files by adding the ‘.clop’ extension. That is, the ransomware is given the name ‘Clop Ransomware’. In particular, Klopp is well-known for deliberately avoiding Russia’s encryption system and the 12 languages of the Russian Federation. This behavior is speculated to be a tactic employed by cybercriminals to avoid legal repercussions from Russian authorities, as the ransomware is less likely to draw attention from local law enforcement if it avoids targeting Russian-speaking regions. This strategic evasion indicates that the actors behind Clop are likely aware of and seek to avoid conflicts with Russian cybercrime regulations [15,16].
Clop ransomware is known to bypass the security solutions of organizations such as individual institutions and corporations and infiltrate organizations through carefully crafted spear phishing emails. These social engineering emails contain ransomware malware. Once executed, the malware tries to establish a connection to a Command and Control (C&C) server and sends additional malware to all connected systems [17,18].
The attack consists of four stages. These stages are characteristic of Advanced Persistent Threat (APT) attacks, which involve long-term, targeted cyberattacks with the intent to steal, disrupt, or gain access to sensitive information. Although Clop ransomware typically behaves as a financially motivated attack, its methodical approach to infiltrating networks, escalating privileges, and spreading laterally within compromised environments aligns with APT strategies. This indicates a sophisticated level of planning and execution typically associated with state-sponsored or highly organized cybercrime groups.
  • Initial Infiltration: Spear phishing email attacks combined with social engineering techniques are carried out to establish an initial base within an organization.
  • Lateral Movement: Once the initial point of entry is secured, ransomware spreads internally by exploiting vulnerabilities in Windows Server Message Block (SMB) protocols.
  • Escalation of Privilege: Once a hacker gains control of the administrator PC that manages a domain controller (DC), they install shellcode and memory hacking tools to gain control over the DC.
  • Ransomware Propagation: All systems connected to the domain controller are infected with ransomware.
Understanding the four steps makes it clear that Clop ransomware’s attack strategy is designed to exploit specific vulnerabilities in corporate networks. Therefore, it is essential for organizations to implement strong security measures to prevent and mitigate ransomware attacks.

4. Analysis of a Clop Ransomware Hacking Attack Case

In this section, a hacking attack by Clop ransomware is analyzed step by step to decipher the sequential techniques and strategies of the attackers.

4.1. Distribution of Reconnaissance

To provide a clearer understanding and facilitate rapid detection, the key Indicators of Compromise (IoCs) identified throughout this study are summarized in the following Table 1.
This table highlights the primary IoCs that can be used to detect Clop ransomware activity within a network. Security teams can use these indicators to enhance monitoring and defense mechanisms. For example, the case where IOC is phishing emails is shown in Figure 1.

4.2. Ransomware Development Tools

  • Acquisition of Tools and Malicious Codes: The attacker utilizes commercial malicious tool CobaltStrike (version 4.0 and earlier) for lateral movement within the target network, as shown in Figure 2 [18]. Additionally, for remote control purposes, the attacker uses malicious remote-control software such as Ammyy Admin, AmadeyBot, and TinyMet [19,20]. Most of these malicious codes tend to have characteristics where functionalities of open-source tools are slightly modified for their hacking.
  • Malicious Code Creation: The attacker utilizes what appears to be a self-developed malicious tool to exploit Server Message Block (SMB) vulnerabilities for internal propagation [21,22], as illustrated in Figure 3. Figure 3 is significant as it visually represents the logging process that enables researchers to trace the modifications made by Clop ransomware during the delivery and execution of its payload within a compromised network.

4.3. Initial Infiltration

Phishing emails disguised as invoices, shipping bills, and pay slips are sent out, enticing victims to open attached files. Upon opening the malicious document attached to the email, embedded macros are executed, downloading and running an additional malicious file [23]. Before this malicious code downloads additional malware, it checks if the infected system is connected to an AD server (command: net user/domain), and if not, it terminates the process [24]. To infiltrate corporations, individuals are targeted with spear-phishing emails. The phishing tactics used include both adding attachments and embedding malicious links within the email body [25]. Upon opening the malicious document attached to the email, the embedded macros are activated, leading to the download and execution of an additional malicious file, as shown in Figure 4 [26].
To masquerade as a normal program, malicious code is distributed with a digital signature [27]. If antivirus software is running, it refrains from performing malicious actions and terminates, as shown in Figure 5.

4.4. Lateral Movement

When connected to an AD server, the PC downloads and installs malware for remote control, and through this, additionally installs a hacking tool called CobaltStrike [28]. CobaltStrike can perform various malicious activities, one of which is the ability to propagate malware to internal systems through the exploitation of the SMB protocol vulnerability [29].
AD Verification: Before downloading additional files, the malicious code ‘vsupdate.exe’ that is downloaded through macro execution checks whether the infected system is connected to an AD server. As part of this process, the command net user /domain is executed to determine whether the system is part of a domain. The output of this command varies depending on whether the system is connected to a typical workgroup or an AD domain, as shown in Figure 6.
When an internal PC connected to AD is infected, the CobaltStrike hacking tool is used, and using the SMB protocol, files are created, and services are generated to spread malware throughout the internal system [30], as shown in Figure 7.

4.5. Discovery and Collection

Once the malware undergoes the authentication process and successfully connects, it collects and leaks information from the infected device to the C&C [31], as shown in Figure 8 and Figure 9.
Figure 8 is intended to illustrate the specific lines of code used by Clop ransomware to gather and exfiltrate device information to its Command and Control (C&C) server, a critical step in the ransomware’s information-gathering phase.

4.6. Privilege Escalation

During the internal movement, when access to the AD server’s administrator system is achieved, the built-in memory hacking tool ‘Mimikatz’ of CobaltStrike is used to acquire the administrator account, as shown in Figure 10.
To execute actions such as creating, deleting, and running services for the propagation of ransomware on the system when there is a need for elevated administrative privileges, the hacking tool attempts to use the built-in ‘Bypass User Account Control (UAC)’ function to acquire the permissions equivalent to the administrator [32], as shown in Figure 11 and Figure 12. Advanced attack techniques exploiting Security Account Manager (SAM) Hashes and Mimikatz are listed in Table 2.

4.7. Ransomware Propagation

In its sequence of malicious operations, the ransomware strategically terminates specific processes, enabling smoother file encryption. It encrypts pivotal files within the compromised system, renaming their extensions to ‘.clop’. Following this action, a ransom note titled ‘ClopReadMe.txt’ is created in the affected folders, providing victims with decryption guidelines. This ransomware further enforces the termination of an extensive list of processes, with a notable emphasis on those associated with database programs [33,34].

5. Indicators of Compromise and Countermeasures against Clop Ransomware

5.1. Countermeasures against Clop Ransomware

The evolution of ransomware has seen it become increasingly advanced, posing significant challenges for mitigation efforts. The decision to halt malicious processes, as depicted in Table 3, is strategic. Each terminated process plays a critical role in the ransomware’s ability to propagate and encrypt files. By proactively monitoring these IoCs, security teams can more effectively identify and neutralize threats before significant damage occurs [35,36].
Applications such as outlook.exe and thunderbird.exe, vital for communication, are disrupted, potentially hindering victims from seeking immediate assistance. By pausing database-oriented processes such as mysqld-nt.exe and sqlservr.exe, the ransomware may be strategizing to encrypt invaluable data, pressuring entities to fulfill ransom demands [37,38]. Interruptions to commonly used software such as wordpad.exe, powerpnt.exe, and excel.exe could severely disrupt organizational operations. Moreover, the cessation of platforms such as steam.exe indicates that the ransomware does not solely target businesses but also individual users, jeopardizing personal files, including game saves [39]. The consequences of this ransomware are manifold. Aside from the immediate encryption threat, interrupted processes can result in data losses, decreased productivity, and potential breaches of confidential data [40]. As victims grapple with the immediate ransom demands, they must also consider the long-term ramifications of interrupted processes and potential data breaches.
It is imperative, therefore, for both organizations and individuals to adopt preventive measures. This includes regular data backups, constant system process monitoring, and employing updated security tools. Equipped knowledge about ransomware’s mode of operation is the first step in mounting a robust defense [41].
Furthermore, upon securing Administrator privileges on the Domain Controller (DC), these permissions facilitate the distribution of ransomware to systems connected to the DC. The ransomware exploits the SMB port (445) to transfer its malicious files onto the target system, subsequently registering them for execution. All compromised files are renamed with the ‘.clop’ extension, and the utilized encryption key is appended at the end of each encrypted file. After encryption, ransom notes are placed in various folders, notifying users of the security breach. The creation of the ‘clearsystem-10-1.bat’ file disables system recovery by deleting volume shadow copies, as demonstrated in Figure 13.
The ransomware script shown in Figure 13 systematically deletes volume shadow copies and resizes shadow storage across different drives, making it difficult for users to restore their data. Commands such as vssadmin delete shadows and vssadmin resize shadowstorage effectively limit the system’s ability to recover from the ransomware attack. Additionally, system recovery options are disabled using the bcdedit commands at the end of the script, further complicating restoration efforts.
As shown in Figure 14, the ransomware sequentially reads the files targeted for encryption and proceeds with the encryption process. The attacker’s public key is embedded within the malicious code. For each file targeted for encryption, a unique encryption key is generated and used. This encryption key is then encrypted using the attacker’s embedded public key and appended at the end of the encrypted file [42].
Figure 15 shows a foundational insight into the encryption process exemplified by a code snippet. It visually conveys how the emphasized encryption mechanism in our research is implemented. Notably, this code specifically addresses the process of generating a unique encryption key for each file [43,44].
Figure 16 visually shows how the attacker’s public key is embedded into the data. Based on our research findings, this method of key insertion plays a pivotal role in the decryption process [45,46].
Figure 17 provides a detailed view of the structure of encrypted data, highlighting the placement of the ‘Clop^’ marker and the encrypted key. The Clop^ marker is particularly significant as it denotes the boundary between the encrypted data and the encrypted key. This structure provides essential insight into the ransomware’s encryption mechanism, helping to better understand its behavior and methodology [47].
Figure 18 shows a flowchart that intricately illustrates the complete infection and propagation procedure of the Clop ransomware. Through this depiction, one can attain a profound understanding of the ransomware’s attack vectors and its operational mechanisms [48].

5.2. Targeted Countermeasures for Clop Ransomware

Clop ransomware’s attack strategies are highly specialized, particularly in their focus on exploiting Active Directory (AD) servers and leveraging vulnerabilities within Windows Server Message Block (SMB) protocols. To effectively defend against Clop, organizations should implement the following targeted countermeasures:
Firstly, since Clop ransomware frequently targets AD servers as a primary entry point, organizations must enforce strict access controls on AD administrator accounts. This includes utilizing multi-factor authentication (MFA) and conducting regular audits to detect unauthorized access attempts. Additionally, implementing tiered administrative models can limit the potential damage if an AD account is compromised, reducing the overall risk to the organization.
Secondly, considering that Clop exploits vulnerabilities in the SMB protocol for lateral movement within networks, it is crucial to regularly audit and patch these protocols. Disabling SMBv1, enforcing the use of SMBv2 or higher, and ensuring that only necessary services are running can significantly reduce the attack surface. Furthermore, network segmentation can help contain the spread of ransomware if an initial breach occurs, preventing the malware from easily moving across the network.
Thirdly, deploying Endpoint Detection and Response (EDR) systems specifically tuned to detect Clop ransomware’s Indicators of Compromise (IoCs) is essential. These systems should be configured to provide real-time alerts and automated responses to suspicious activities, particularly monitoring for the use of known malicious tools such as CobaltStrike and flagging unusual file modifications, such as the renaming of files with the ‘.clop’ extension. This proactive detection can prevent the ransomware from executing its intended damage.
Additionally, organizations should develop a comprehensive incident response plan that includes specific protocols for handling Clop ransomware attacks. Regularly conducting simulated ransomware attacks, such as red teaming exercises, can help identify gaps in the organization’s defense mechanisms and improve overall response time during an actual incident.
Finally, continuous training programs should be implemented to educate employees about the risks of spear phishing and social engineering, which are commonly used to deliver Clop ransomware. Employees should be trained to recognize and report suspicious emails and to follow best practices for email security, thereby reducing the likelihood of initial infiltration.
By implementing these targeted countermeasures, organizations can better protect themselves against the sophisticated tactics employed by Clop ransomware, thereby minimizing the risk of a successful attack and mitigating potential damage.

6. Conclusions

In this paper, the rapidly increasing Clop ransomware attacks targeting the manufacturing, logistics, and distribution sectors were analyzed. Clop ransomware typically employs an Advanced Persistent Threat (APT) attack strategy, wherein it masquerades as a specific organization and sends macros with attached documents or executable files. Once the victim accesses these attachments, the ransomware establishes its initial foothold within the organization.
Upon analyzing the root causes of incidents in companies targeted by Clop ransomware, it became evident that a vulnerable operational environment where the AD administrator account could be easily compromised was the primary reason for the breaches. While the AD server serves as a useful tool for organizational administrators to manage multiple systems, the moment a hacker gains control over the AD server management rights, it creates a crisis where access to all systems connected to the company’s AD server is granted to the hacker. To counteract Clop ransomware, organizations must strengthen access control for the AD administrator account and enhance employees’ ability to respond to hacking emails, such as spear phishing, through mock hacking drills. Additionally, there should be an increased focus on security, such as implementing offline backups for key data and equipment.

Author Contributions

Conceptualization, Y.L., J.L., and D.S.; methodology, Y.L.; software, D.R.; validation, Y.L., J.L., and H.P.; formal analysis, J.L.; investigation, D.R.; resources, H.P.; data curation, D.R.; writing—original draft preparation, Y.L. and J.L.; writing—review and editing, D.S.; visualization, H.P.; supervision, D.S.; project administration, D.S.; funding acquisition, D.S. All authors have read and agreed to the published version of the manuscript.

Funding

This work was supported by a National Research Foundation of Korea (NRF) grant funded by the Korean government (MSIT) (No. 2022R1F1A1074773).

Data Availability Statement

The data presented in this study are available on request from the corresponding author.

Conflicts of Interest

Author Jaeil Lee was employed by the company Smilegate Holdings. The remaining authors declare that the research was conducted in the absence of any commercial or financial relationships that could be construed as a potential conflict of interest.

References

  1. Lee, S.; Lee, S.; Park, J.; Kim, K.; Lee, K. Hiding in the Crowd: Ransomware Protection by Adopting Camouflage and Hiding Strategy With the Link File. IEEE Access 2023, 11, 92693–92704. [Google Scholar] [CrossRef]
  2. Benmalek, M. Ransomware on Cyber-Physical Systems: Taxonomies, Case Studies, Security Gaps, and Open Challenges. Internet Things Cyber-Phys. Syst. 2024, 4, 186–202. [Google Scholar] [CrossRef]
  3. Lee, J.; Yun, J.; Lee, K. A Study on Countermeasures against Neutralizing Technology: Encoding Algorithm-Based Ransomware Detection Methods Using Machine Learning. Electronics 2024, 13, 1030. [Google Scholar] [CrossRef]
  4. Shields Communication Group, S.K. KARA Ransomware Trend Report. KARA (Korea Anti Ransomware Alliance). Gyeonggi-do, Republic of Korea. 2023. Available online: https://example.com (accessed on 10 November 2023).
  5. Flashpoint. Flashpoint’s Cyber Threat Intelligence Index. Flashpoint. 2023. Available online: https://flashpoint.io/wp-content/uploads/Flashpoint-Cyber-Threat-Intelligence-Index-Midyear.pdf (accessed on 10 November 2023).
  6. Acronis. Acronis Mid-year Cyberthreats Report 2023. Available online: https://staticfiles.acronis.com/downloads/637f0f0593b6057d941f9e38165412d0 (accessed on 10 November 2023).
  7. Health Sector Cybersecurity Coordination Center. Healthcare Sector Potentially at Risk from Critical Vulnerability in MOVEit Transfer Software. HC3. Health Sector Cybersecurity Coordination Center. 2023. Available online: https://www.aha.org/system/files/media/file/2023/06/tlp-clear-hc3-sector-alert-hhs-ocio-hc3-critical-moveit-transfer-software-vulnerability-sector-alert.pdf (accessed on 10 November 2023).
  8. Malik, M.I.; Ibrahim, A.; Hannay, P.; Sikos, L.F. Developing Resilient Cyber-Physical Systems: A Review of State-of-the-Art Malware Detection Approaches, Gaps, and Future Directions. Computers 2023, 12, 79. [Google Scholar] [CrossRef]
  9. Bhardwaj, A.; Kaushik, K.; Maashi, M.S.; Aljebreen, M.; Bharany, S. Alternate Data Stream Attack Framework to Perform Stealth Attacks on Active Directory Hosts. Sustainability 2022, 14, 12288. [Google Scholar] [CrossRef]
  10. Ganfure, G.O.; Wu, C.-F.; Chang, Y.-H.; Shih, W.-K. RTrap: Trapping and Containing Ransomware With Machine Learning. IEEE Trans. Inf. Forensics Secur. 2023, 18, 1433–1448. [Google Scholar] [CrossRef]
  11. Almansoori, A.; Al-Emran, M.; Shaalan, K. Exploring the Frontiers of Cybersecurity Behavior: A Systematic Review of Studies and Theories. Appl. Sci. 2023, 13, 5700. [Google Scholar] [CrossRef]
  12. Rawindaran, N.; Jayal, A.; Prakash, E. Machine Learning Cybersecurity Adoption in Small and Medium Enterprises in Developed Countries. Computers 2021, 10, 150. [Google Scholar] [CrossRef]
  13. Boticiu, S.; Teichmann, F. How does one negotiate with ransomware attackers? Int. Cybersecur. Law Rev. 2024, 5, 55–65. [Google Scholar] [CrossRef]
  14. Ispahany, J.; Islam, M.R.; Islam, M.Z.; Khan, M.A. Ransomware Detection Using Machine Learning: A Review, Research Limitations and Future Directions. IEEE Access 2024, 12, 68785–68813. [Google Scholar] [CrossRef]
  15. Aslam, M.M.; Tufail, A.; Apong, R.A.A.H.M.; De Silva, L.C.; Raza, M.T. Scrutinizing Security in Industrial Control Systems: An Architectural Vulnerabilities and Communication Network Perspective. IEEE Access 2024, 12, 67537–67573. [Google Scholar] [CrossRef]
  16. Singh, D.; Monga, S.; Tanwar, S.; Hong, W.-C.; Sharma, R.; He, Y.-L. Adoption of Blockchain Technology in Healthcare: Challenges, Solutions, and Comparisons. Appl. Sci. 2023, 13, 2380. [Google Scholar] [CrossRef]
  17. Ren, Y.; Xiao, Y.; Zhou, Y.; Zhang, Z.; Tian, Z. CSKG4APT: A Cybersecurity Knowledge Graph for Advanced Persistent Threat Organization Attribution. IEEE Trans. Knowl. Data Eng. 2023, 35, 5695–5709. [Google Scholar] [CrossRef]
  18. Patel, H.; Patel, D.; Ahluwalia, J.; Kapoor, V.; Narasimhan, K.; Singh, H.; Kaur, H.; Reddy, G.H.; Peruboina, S.S.; Butakov, S. Evaluation of Survivability of the Automatically Obfuscated Android Malware. Appl. Sci. 2022, 12, 4969. [Google Scholar] [CrossRef]
  19. Rana, M.U.; Shah, M.A.; Ellahi, O. Malware Persistence and Obfuscation: An Analysis on Concealed Strategies. In Proceedings of the 2021 26th International Conference on Automation and Computing (ICAC), Portsmouth, UK, 2–4 September 2021; pp. 1–6. [Google Scholar] [CrossRef]
  20. Kazi, M.A.; Woodhead, S.; Gan, D. An Investigation to Detect Banking Malware Network Communication Traffic Using Machine Learning Techniques. J. Cybersecur. Priv. 2023, 3, 1–23. [Google Scholar] [CrossRef]
  21. Karantzas, G.; Patsakis, C. An Empirical Assessment of Endpoint Detection and Response Systems against Advanced Persistent Threats Attack Vectors. J. Cybersecur. Priv. 2021, 1, 387–421. [Google Scholar] [CrossRef]
  22. Willems, D.; Kohls, K.; van der Kamp, B.; Vranken, H. Data Exfiltration Detection on Network Metadata with Autoencoders. Electronics 2023, 12, 2584. [Google Scholar] [CrossRef]
  23. Akbanov, M.; Vassilakis, V.G.; Logothetis, M.D. WannaCry Ransomware: Analysis of Infection, Persistence, Recovery Prevention and Propagation Mechanisms. J. Telecommun. Inf. Technol. 2019, 1, 113–124. [Google Scholar] [CrossRef]
  24. Akbanov, M.; Vassilakis, V.G.; Moscholios, I.D.; Logothetis, M.D. Static and Dynamic Analysis of WannaCry Ransomware. J. IEICE Inf. Commun. Technol. Forum 2018, 32, SESSION02_2. [Google Scholar] [CrossRef]
  25. Sangani, N.K. Cyber Security Scenarios and Control for Small and Medium Enterprises. Inform. Econ. 2013, 62–63. [Google Scholar]
  26. Singh, P.; Tapaswi, S.; Gupta, S. Malware Detection in PDF and Office Documents: A Survey. Inf. Secur. J. Glob. Perspect. 2020, 29, 134–153. [Google Scholar] [CrossRef]
  27. Syeda, D.Z.; Asghar, M.N. Dynamic Malware Classification and API Categorisation of Windows Portable Executable Files Using Machine Learning. Appl. Sci. 2024, 14, 1015. [Google Scholar] [CrossRef]
  28. Cross, C.; Gillett, R. Exploiting trust for financial gain: An overview of business email compromise (BEC) fraud. J. Financ. Crime 2020, 27, 871–884. [Google Scholar] [CrossRef]
  29. Alazab, M.; Broadhurst, R. Spam and Criminal Activity. Trends Issues Crime Crim. Justice 2016, 526, 1–20. [Google Scholar] [CrossRef]
  30. van der Eijk, V.; Schuijt, C. Detecting Cobalt Strike beacons in NetFlow data. University of Amsterdam, 2022, 1–3. Available online: https://rp.os3.nl/2019-2020/p29/report.pdf (accessed on 10 November 2023).
  31. Maffia, L. Longitudinal Study of the Prevalence of Malware Evasive Techniques. arXiv 2021, arXiv:2112.11289. [Google Scholar] [CrossRef]
  32. Yurchenko, Y. Implementation of the Elements of the Enterprise Protection System. Math. Mach. Syst. 2023, 2023, 75–81. [Google Scholar] [CrossRef]
  33. Gazet, A. Comparative analysis of various ransomware virii. J. Comput. Virol. 2010, 6, 77–90. [Google Scholar] [CrossRef]
  34. Olaimat, M.N.; Maarof, M.A.; Al-rimy, B.A.S. Ransomware Anti-Analysis and Evasion Techniques: A Survey and Research Directions. In Proceedings of the 2021 3rd International Cyber Resilience Conference (CRC), Langkawi Island, Malaysia, 29–31 January 2021; pp. 1–6. [Google Scholar] [CrossRef]
  35. Sumbly, K.B.; Kannan, P.K.; Aralimara, L.A.; Sushma, E. Static and Dynamic Analysis of Clop Ransomware. In Proceedings of the 2022 IEEE International Conference on Cloud Computing in Emerging Markets (CCEM), Zurich, Switzerland, 12–14 December 2022; pp. 48–52. [Google Scholar] [CrossRef]
  36. Fernando, D.W.; Komninos, N.; Chen, T. A Study on the Evolution of Ransomware Detection Using Machine Learning and Deep Learning Techniques. IoT 2020, 1, 551–604. [Google Scholar] [CrossRef]
  37. Urooj, U.; Al-rimy, B.A.S.; Zainal, A.; Ghaleb, F.A.; Rassam, M.A. Ransomware Detection Using the Dynamic Analysis and Machine Learning: A Survey and Research Directions. Appl. Sci. 2022, 12, 172. [Google Scholar] [CrossRef]
  38. Yamany, B.; Elsayed, M.S.; Jurcut, A.D.; Abdelbaki, N.; Azer, M.A. A New Scheme for Ransomware Classification and Clustering Using Static Features. Electronics 2022, 11, 3307. [Google Scholar] [CrossRef]
  39. Tariq, U.; Ullah, I.; Yousuf Uddin, M.; Kwon, S.J. An Effective Self-Configurable Ransomware Prevention Technique for IoMT. Sensors 2022, 22, 8516. [Google Scholar] [CrossRef] [PubMed]
  40. McDonald, G.; Papadopoulos, P.; Pitropakis, N.; Ahmad, J.; Buchanan, W.J. Ransomware: Analysing the Impact on Windows Active Directory Domain Services. Sensors 2022, 22, 953. [Google Scholar] [CrossRef] [PubMed]
  41. Gómez Hernández, J.A.; García Teodoro, P.; Magán Carrión, R.; Rodríguez Gómez, R. Crypto-Ransomware: A Revision of the State of the Art, Advances and Challenges. Electronics 2023, 12, 4494. [Google Scholar] [CrossRef]
  42. Herrera Silva, J.A.; Barona López, L.I.; Valdivieso Caraguay, Á.L.; Hernández-Álvarez, M. A Survey on Situational Awareness of Ransomware Attacks—Detection and Prevention Parameters. Remote Sens. 2019, 11, 1168. [Google Scholar] [CrossRef]
  43. Lee, S.; Park, M.; Kim, J. Magniber v2 Ransomware Decryption: Exploiting the Vulnerability of a Self-Developed Pseudo Random Number Generator. Electronics 2021, 10, 16. [Google Scholar] [CrossRef]
  44. Rahman, Z.; Yi, X.; Billah, M.; Sumi, M.; Anwar, A. Enhancing AES Using Chaos and Logistic Map-Based Key Generation Technique for Securing IoT-Based Smart Home. Electronics 2022, 11, 1083. [Google Scholar] [CrossRef]
  45. Dridi, F.; El Assad, S.; El Hadj Youssef, W.; Machhout, M.; Lozi, R. Design, Implementation, and Analysis of a Block Cipher Based on a Secure Chaotic Generator. Appl. Sci. 2022, 12, 9952. [Google Scholar] [CrossRef]
  46. Gui, R.; Yang, L.; Gui, X. An Order-Preserving Encryption Scheme Based on Weighted Random Interval Division for Ciphertext Comparison in Wearable Systems. Sensors 2022, 22, 7950. [Google Scholar] [CrossRef]
  47. Hagras, E.A.A.; Aldosary, S.; Khaled, H.; Hassan, T.M. Physical Layer Authenticated Image Encryption for IoT Network Based on Biometric Chaotic Signature for MPFrFT OFDM System. Sensors 2023, 23, 7843. [Google Scholar] [CrossRef]
  48. Gookyi, D.A.N.; Ryoo, K. A Lightweight System-On-Chip Based Cryptographic Core for Low-Cost Devices. Sensors 2022, 22, 3004. [Google Scholar] [CrossRef]
Electronics 13 03689 g001
Figure 1. Email client data collection flow from a compromised system to the hacker server.
Figure 1. Email client data collection flow from a compromised system to the hacker server.
Electronics 13 03689 g001
Electronics 13 03689 g002
Figure 2. Exploitation Strategies: Using commercial tools and customized malware for network infiltration.
Figure 2. Exploitation Strategies: Using commercial tools and customized malware for network infiltration.
Electronics 13 03689 g002
Electronics 13 03689 g003
Figure 3. Log Analysis: Tracking payload delivery and service modifications.
Figure 3. Log Analysis: Tracking payload delivery and service modifications.
Electronics 13 03689 g003
Electronics 13 03689 g004
Figure 4. Malicious macro activation prompt in Microsoft Office.
Figure 4. Malicious macro activation prompt in Microsoft Office.
Electronics 13 03689 g004
Electronics 13 03689 g005
Figure 5. Malware of bypassing function by checking for antivirus processes.
Figure 5. Malware of bypassing function by checking for antivirus processes.
Electronics 13 03689 g005
Electronics 13 03689 g006
Figure 6. AD server connection verification.
Figure 6. AD server connection verification.
Electronics 13 03689 g006
Electronics 13 03689 g007
Figure 7. Malware propagation via the SMB protocol in AD-connected systems.
Figure 7. Malware propagation via the SMB protocol in AD-connected systems.
Electronics 13 03689 g007
Electronics 13 03689 g008
Figure 8. Malware code for device information collection.
Figure 8. Malware code for device information collection.
Electronics 13 03689 g008
Electronics 13 03689 g009
Figure 9. Extracted device information sent to C&C.
Figure 9. Extracted device information sent to C&C.
Electronics 13 03689 g009
Electronics 13 03689 g010
Figure 10. Executing the Mimikatz Command through CobaltStrike for Admin Credentials.
Figure 10. Executing the Mimikatz Command through CobaltStrike for Admin Credentials.
Electronics 13 03689 g010
Electronics 13 03689 g011
Figure 11. Using CobaltStrike’s Bypass UAC for elevated privileges.
Figure 11. Using CobaltStrike’s Bypass UAC for elevated privileges.
Electronics 13 03689 g011
Electronics 13 03689 g012
Figure 12. SMB protocol vulnerability and internal attack using Bypass UAC.
Figure 12. SMB protocol vulnerability and internal attack using Bypass UAC.
Electronics 13 03689 g012
Electronics 13 03689 g013
Figure 13. System recovery disabling script.
Figure 13. System recovery disabling script.
Electronics 13 03689 g013
Electronics 13 03689 g014
Figure 14. The ransomware sequentially reads the files targeted for encryption and proceeds with the encryption process.
Figure 14. The ransomware sequentially reads the files targeted for encryption and proceeds with the encryption process.
Electronics 13 03689 g014
Electronics 13 03689 g015
Figure 15. Encryption algorithm code.
Figure 15. Encryption algorithm code.
Electronics 13 03689 g015
Electronics 13 03689 g016
Figure 16. Hexadecimal data view with an embedded public key.
Figure 16. Hexadecimal data view with an embedded public key.
Electronics 13 03689 g016
Electronics 13 03689 g017
Figure 17. Structure of encrypted data in the hexadecimal view.
Figure 17. Structure of encrypted data in the hexadecimal view.
Electronics 13 03689 g017
Electronics 13 03689 g018
Figure 18. Clop ransomware infection and propagation glow.
Figure 18. Clop ransomware infection and propagation glow.
Electronics 13 03689 g018
Table 1. Summary of Indicators of Compromise (IoCs) for Clop Ransomware.
Table 1. Summary of Indicators of Compromise (IoCs) for Clop Ransomware.
Indicator of Compromise (IoC)DescriptionExample
Phishing EmailsSpear-phishing emails with malicious attachmentsInvoice_2023.pdf
CobaltStrike BeaconsTool used for lateral movement in compromised networksCobaltStrike.exe
‘.clop’ File ExtensionFiles encrypted by Clop with this extensiondocument.txt.clop
Email Stealer MalwareCollects email addresses from compromised systemsexample_stealer.exe
Table 2. Advanced Attack Techniques: Exploiting SAM Hashes and Mimikatz.
Table 2. Advanced Attack Techniques: Exploiting SAM Hashes and Mimikatz.
TermDescription
Bypass UACBypassing the User Account Control (UAC) security feature
Dump HashesExtracting password hashes from the SAM database
Golden TicketUsing the krbtgt ticket’s hash to generate unauthorized Kerberos tickets
Make TokenCreating a new token for unauthorized access
Run MimikatzExecuting Mimikatz to extract plain-text passwords and other secrets from the OS memory
Table 3. Terminated processes for ransomware activity.
Table 3. Terminated processes for ransomware activity.
List of Processes to Terminate
zoclove.exethebats64.exeoutlook.exemspub.exe
mysqld-nt.exeenvoy.exewordpad.exesqlbrowser.exe
sysTime.exeossls.exeiaglsplus.exeNTAGMng.exe
agents.exethunderbird.exepowerpnt.exemysqldoos.exe
mysqld-opt.exeexcel.exevisio.exesqlservr.exe
thbirdcng.exeonenote.exemsoia.exeNTsansvc.exe
outloowds.exevisio.exesqlbrowser.exemydesktop service.exe
thebat.exeoracle.exereflector.exesctui.manager.exe
dbsnmp.exewinword.exesglagent.exerambntvy.exe
comm.exeinfopath.exeFMTMon.exesteam.exe
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Lee, Y.; Lee, J.; Ryu, D.; Park, H.; Shin, D. Clop Ransomware in Action: A Comprehensive Analysis of Its Multi-Stage Tactics. Electronics 2024, 13, 3689. https://doi.org/10.3390/electronics13183689

AMA Style

Lee Y, Lee J, Ryu D, Park H, Shin D. Clop Ransomware in Action: A Comprehensive Analysis of Its Multi-Stage Tactics. Electronics. 2024; 13(18):3689. https://doi.org/10.3390/electronics13183689

Chicago/Turabian Style

Lee, Yongjoon, Jaeil Lee, Dojin Ryu, Hansol Park, and Dongkyoo Shin. 2024. "Clop Ransomware in Action: A Comprehensive Analysis of Its Multi-Stage Tactics" Electronics 13, no. 18: 3689. https://doi.org/10.3390/electronics13183689

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop