Executive Summary

The ransomware Clop has hit the network of conglomerate and retail giant in South Korea which suspended nearly half of stores due to its attack. We have analyzed the ransomware related to the incident and the summary of the analysis can be seen below.
- A new variant of the Clop ransomware seems to generate separate key files and store encryption keys for each encrypted files as opposed to the previous behavior of changing the file content and extension and saving the encryption key at the final stage
- Key File Extension : .cllp
- Key File Header : Cllp^_-
- Ransom Note: We have identified that the contact email used in ransom note is identical to the email used by Clop Ransomware on the Dark Web where they leak corporate data when negotiations fails.
We have also detected the same variant of the ransomware that contained identical signatures on Virus Total (Build time: Nov-21-2020).

Distribution

We have yet finalized the deploying patterns but we can assume the intrusion technique by referring to previous incidents.
1. Network intrusion using SMB exploit.
2. A massive deployment by compromised administrator account of an Active Directory.
3. Malicious document files distributed as attachments via spear phishing emails.

Analysis of Clop Ransomware (#01)

1) Basic Properties (#01, Marker for Relation Analysis)

MD5 : 8b6c413e2539823ef8f8b85900d19724 SHA-1 : 2d92a9ec1091cb801ff86403374594c74210cd44 SHA-256 : 3d94c4a92382c5c45062d8ea0517be4011be8ba42e9c9a614a99327d0ebdf05b Type : Win32 EXE (PE32 executable for MS Windows (GUI) Intel 80386 32-bit) Build Time : 2020-11-20 18:18:18

Executive Summary

Distribution

Analysis of Clop Ransomware (#01)

1) Basic Properties (#01, Marker for Relation Analysis)

2) Malware Behaviour

Full execution flow of Clop ransomware