Ransomware Recap: Clop, DeathRansom, and Maze Ransomware

ransomware-recap-clop-deathransom-mazeUpdated on January 6, 2020 at 10:03 PM PST to change hashes to SHA-256 under IoCs.

As the new year rolls in, new developments in different ransomware strains have emerged. Clop ransomware has evolved to integrate a process killer that targets Windows 10 apps and various applications. DeathRansom, with initial versions that masqueraded as ransomware, now has the ability to encrypt files. Maze ransomware has been increasingly targeting U.S. companies for stealing and encrypting data, as alerted by the Federal Bureau of Investigation (FBI).

Clop ransomware kills Windows 10 apps, other processes

The latest Clop ransomware variant has been updated and is now capable of terminating a total of 663 Windows processes, including Windows 10 and Microsoft Office applications, before proceeding with its encryption routine. It is not uncommon for ransomware variants to terminate processes before encrypting files; some attackers even disable security software to evade detection. This action could either mean that configuration files used by some of the terminated processes are targeted for encryption or the threat actors are merely trying to ensure that the malware closes as many files as possible for successful encryption.

The Clop ransomware variant executes a “process killer” before starting the encryption processes. The disabled target processes include debuggers, text editors, and programming IDEs and languages running on the infected system. Security researcher Vitali Kremez enumerates the full list of terminated processes in his GitHub repository.

Clop first cropped up as a variant of the CryptoMix ransomware family. The ransomware has since been tweaked to reportedly target entire networks instead of individual machines and even attempt disabling Windows Defender and other security tools. Last December, the ransomware hit “almost all Windows systems” at Maastricht University.

DeathRansom ransomware evolves from fake ransomware to actual encrypting ransomware

Initially considered a joke, DeathRansom has now been found capable of encrypting files.

Initial versions of DeathRansom pretended to be a ransomware and did not encrypt anything. Operators would attempt to trick users by adding a file extension to all of a target’s files and dropping a ransom note on the computer asking for money. All a user had to do, however, was to remove the appended .wctc extension from any file to regain access to files.

But the newer versions are different. Fortinet researchers published a two-part analysis describing how DeathRansom now functions as an actual ransomware. The variant uses a combination of Curve25519 algorithm for the Elliptic Curve Diffie-Hellman (ECDH) key exchange scheme, Salsa20, RSA-2048, AES-256 ECB, and a simple block XOR algorithm for its encryption scheme. DeathRansom currently spreads through phishing campaigns.

Maze ransomware combines theft and encryption to target US companies, FBI warns

The FBI has released an advisory concerning a spate of Maze ransomware attacks that increasingly focus on U.S. companies, stealing their information then encrypting it for extortion.

Distributed in late December 2019, the warning indicates that the Bureau first observed the ransomware being wielded against U.S. victims last November. Upon successfully breaching the network, threat actors exfiltrate company files before encrypting machines and network shares. The actors then demand a target-specific ransom in exchange for the decryption key.

Maze ransomware takes advantage of different methods to breach a network, including fake cryptocurrency sites, malspam campaigns, and even exploit kits. In the past, Maze ransomware operators have released stolen data from targets, ranging from a U.S. city’s computer systems to a wire and cable manufacturer, that did not pay the ransom.

How to defend against ransomware

Organizations can strengthen their defenses against ransomware by updating their systems and applications to the latest versions and using multi-factor authentication. In case of a ransomware infection, we advise against paying the ransom as this does not guarantee the recovery of the encrypted files and may only encourage threat actors to further attack organizations. Here are other measures users and organizations can take to protect against ransomware:

  • Create an effective backup strategy by following the 3-2-1 rule
  • Adopt strong passwords throughout the network
  • Consider network segmentation to separate important processes and systems from the wider access network
  • Increase awareness of how ransomware spreads, i.e., through spammed emails and attachments
  • Monitor and audit network traffic for any suspicious behaviors or anomalies

Trend Micro solutions such as the Smart Protection Suites and Worry-Free Business Security solutions, which have behavior monitoring capabilities, can protect users and businesses from these types of threats by detecting malicious files, scripts, and messages as well as blocking all related malicious URLs. Trend Micro XGen security provides a cross-generational blend of threat defense techniques against a full range of threats for data centerscloud environmentsnetworks, and endpoints. It infuses high-fidelity machine learning with other detection technologies and global threat intelligence for comprehensive protection against advanced malware.

Indicators of Compromise (IoCs)

Clop

Related hashes
2ceeedd2f389c6118b4e0a02a535ebb142d81d35f38cab9a3099b915b5c274cb - detected as Ransom.Win32.CLOP.SMK
a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02 - detected as Ransom.Win32.CLOP.THCODAI

Related email addresses
kensgilbomet@protonmail[.]com
unlock@eqaltech[.]su
unlock@royalmail[.]su

DeathRansom

Related hashes
6247f283d916b1cf0c284f4c31ef659096536fe05b8b9d668edab1e1b9068762 - detected as Ransom.Win32.DEATHRANSOM.C
ab828f0e0555f88e3005387cb523f221a1933bbd7db4f05902a1e5cc289e7ba4 - detected as Ransom.Win32.DEATHRANSOM.C
fedb4c3b0e080fb86796189ccc77f99b04adb105d322bddd3abfca2d5c5d43c8 - detected as Ransom.Win32.DEATHRANSOM.C
66ee3840a9722d3912b73e477d1a11fd0e5468769ba17e5e71873fd519e76def - detected as Ransom.Win32.DEATHRANSOM.C
0cf124b2afc3010b72abdc2ad8d4114ff1423cce74776634db4ef6aaa08af915 - detected as Ransom.Win32.DEATHRANSOM.C
4bc383a4daff74122b149238302c5892735282fa52cac25c9185347b07a8c94c - detected as Ransom.Win32.DEATHRANSOM.C
2b9c53b965c3621f1fa20e0ee9854115747047d136529b41872a10a511603df8 - detected as Ransom.Win32.DEATHRANSOM.C
05b762354678004f8654e6da38122e6308adf3998ee956566b8f5d313dc0e029 - detected as Ransom.Win32.DEATHRANSOM.C
f78a743813ab1d4eee378990f3472628ed61532e899503cc9371423307de3d8b - detected as Ransom.Win32.DEATHRANSOM.C
13d263fb19d866bb929f45677a9dcbb683df5e1fa2e1b856fde905629366c5e1 - detected as Ransom.Win32.DEATHRANSOM.C
dc9ff5148e26023cf7b6fb69cd97d6a68f78bb111dbf39039f41ed05e16708e4 - detected as Trojan.Win32.DEATHRANSOM.A
7c2dbad516d18d2c1c21ecc5792bc232f7b34dadc1bc19e967190d79174131d1 - detected as Ransom.Win32.DEATHRANSOM.THKBOAIA
e767706429351c9e639cfecaeb4cdca526889e4001fb0c25a832aec18e6d5e06 - detected as TSPY_EVRIAL.SMA
a45a75582c4ad564b9726664318f0cccb1000005d573e594b49e95869ef25284 - detected as TROJ_DELF.XXWS
1e1fcb1bcc88576318c37409441fd754577b008f4678414b60a25710e10d4251 - detected as Coinminer_MALXMR.SMBM-WIN32

Related malicious URLs
bitbucket[.]org/scat01/
gameshack[.]ru

iplogger[.]org/1Zqq77
scat01.mcdir[.]ru
scat01[.]tk

Maze

Related hash
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684 - detected as Ransom.Win32.MAZE.H

Related malicious network communication
hxxp://92.63.8.47
hxxp://92.63.32.2
hxxp://92.63.37.100
hxxp://92.63.194.20
hxxp://92.63.17.245
hxxp://92.63.32.55
hxxp://92.63.11.151
hxxp://92.63.194.3
hxxp://92.63.15.8
hxxp://92.63.29.137
hxxp://92.63.32.57
hxxp://92.63.15.56
hxxp://92.63.32.52
hxxp://92.63.15.6

Related email address
filedecryptor@nuke[.]africa

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.