Updated on January 6, 2020 at 10:03 PM PST to change hashes to SHA-256 under IoCs.
As the new year rolls in, new developments in different ransomware strains have emerged. Clop ransomware has evolved to integrate a process killer that targets Windows 10 apps and various applications. DeathRansom, with initial versions that masqueraded as ransomware, now has the ability to encrypt files. Maze ransomware has been increasingly targeting U.S. companies for stealing and encrypting data, as alerted by the Federal Bureau of Investigation (FBI).
Clop ransomware kills Windows 10 apps, other processes
The latest Clop ransomware variant has been updated and is now capable of terminating a total of 663 Windows processes, including Windows 10 and Microsoft Office applications, before proceeding with its encryption routine. It is not uncommon for ransomware variants to terminate processes before encrypting files; some attackers even disable security software to evade detection. This action could either mean that configuration files used by some of the terminated processes are targeted for encryption or the threat actors are merely trying to ensure that the malware closes as many files as possible for successful encryption.
The Clop ransomware variant executes a “process killer” before starting the encryption processes. The disabled target processes include debuggers, text editors, and programming IDEs and languages running on the infected system. Security researcher Vitali Kremez enumerates the full list of terminated processes in his GitHub repository.
Clop first cropped up as a variant of the CryptoMix ransomware family. The ransomware has since been tweaked to reportedly target entire networks instead of individual machines and even attempt disabling Windows Defender and other security tools. Last December, the ransomware hit “almost all Windows systems” at Maastricht University.
DeathRansom ransomware evolves from fake ransomware to actual encrypting ransomware
Initially considered a joke, DeathRansom has now been found capable of encrypting files.
Initial versions of DeathRansom pretended to be a ransomware and did not encrypt anything. Operators would attempt to trick users by adding a file extension to all of a target’s files and dropping a ransom note on the computer asking for money. All a user had to do, however, was to remove the appended .wctc extension from any file to regain access to files.
But the newer versions are different. Fortinet researchers published a two-partanalysis describing how DeathRansom now functions as an actual ransomware. The variant uses a combination of Curve25519 algorithm for the Elliptic Curve Diffie-Hellman (ECDH) key exchange scheme, Salsa20, RSA-2048, AES-256 ECB, and a simple block XOR algorithm for its encryption scheme. DeathRansom currently spreads through phishing campaigns.
Maze ransomware combines theft and encryption to target US companies, FBI warns
The FBI has released an advisory concerning a spate of Maze ransomware attacks that increasingly focus on U.S. companies, stealing their information then encrypting it for extortion.
Distributed in late December 2019, the warning indicates that the Bureau first observed the ransomware being wielded against U.S. victims last November. Upon successfully breaching the network, threat actors exfiltrate company files before encrypting machines and network shares. The actors then demand a target-specific ransom in exchange for the decryption key.
Maze ransomware takes advantage of different methods to breach a network, including fake cryptocurrency sites, malspam campaigns, and even exploit kits. In the past, Maze ransomware operators have released stolen data from targets, ranging from a U.S. city’s computer systems to a wire and cable manufacturer, that did not pay the ransom.
How to defend against ransomware
Organizations can strengthen their defenses against ransomware by updating their systems and applications to the latest versions and using multi-factor authentication. In case of a ransomware infection, we advise against paying the ransom as this does not guarantee the recovery of the encrypted files and may only encourage threat actors to further attack organizations. Here are other measures users and organizations can take to protect against ransomware:
Create an effective backup strategy by following the 3-2-1 rule
Adopt strong passwords throughout the network
Consider network segmentation to separate important processes and systems from the wider access network
Increase awareness of how ransomware spreads, i.e., through spammed emails and attachments
Monitor and audit network traffic for any suspicious behaviors or anomalies
Related hashes 2ceeedd2f389c6118b4e0a02a535ebb142d81d35f38cab9a3099b915b5c274cb - detected as Ransom.Win32.CLOP.SMK a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02 - detected as Ransom.Win32.CLOP.THCODAI
Related email addresses kensgilbomet@protonmail[.]com unlock@eqaltech[.]su unlock@royalmail[.]su