[Virus/malware activity reported: Clop ransomware variant]

Due to a breach believed to be a variant of ransomware Clop,
we would like to confirm the situation and provide a warning as follows.

Virus/malware activity target items and information

• Confirmation dateMonday, November 23, 2020
• Damage occurredOccurred on Sunday, November 22, 2020. It is estimated that many damages occurred within the group.
• operating systemExpected to be Windows 7 or higher operating system. Applies to both general PC and server OS.
• Additional informationAttacks entire disk and network shared data
• Detailed analysisRansomware distribution and system intrusion methods/Confirmation of infection-related matters/Recommendations for general measures to prepare for infection

Ransomware distribution and system intrusion methods

The direct intrusion route and distribution method for this incident are currently under investigation and are not clearly known.

Through analysis of existing Clop ransomware attack cases and sample files, we provide guidance on expected intrusion methods for general PC and server OS operating systems. System security patches, update security products, operate/manage, and comply with user security management rules. Please look at it from various angles.

[Common to server and PC]

Infected with ransomware due to insufficient security settings, resulting in major data leakage

• If used continuously, it is highly likely to become an internal intrusion point using SMB vulnerabilities.
• In a VPN environment built for smooth access to the internal network, security updates are not applied to the account management and access system, so there is a high possibility of large-scale infection spreading to internal systems due to administrator account leaks, etc.
• If you use the system without patching security vulnerabilities due to the use of operating systems and software that have not received security updates because support has ended, there is a high possibility of system damage based on attackers' purposes regardless of the user's intention.

[Focused on user PC environment]

Because security rules are not properly followed during system use, additional ransomware infection damage often occurs after malware intrusion.

• Execute malicious email attachments disguised as official documents, resumes, quotations, etc. without confirmation.
• Execute illegally disguised files, such as the latest movies downloaded through P2P programs
• Continuing to use a vulnerable version of the browser (IE: Internet Explorer) allows malicious code (ransomware) to infiltrate the system just by visiting a website containing hidden malicious code.

In particular, for the general Windows 7 operating system and Windows Server 2008 and 2008 R2 products, security patch support has ended since January 14, 2020, and new ransomware has introduced system vulnerabilities even in the latest Windows 10 operating system and Windows Server 2019 versions. If it is distributed and executed through this system, system infection and damage will inevitably occur.

Check for infection-related information

• After executing the Clop variant ransomware malware, the executable code is allocated to memory.
• Execute main code after self-deleting
• Ransomware malware registers itself as a system service and executes it.
• Checks for duplicate execution of self and attempts to obtain system permissions, then executes additionally
• Delete the event log and check the entire local drive before attempting encryption.
• Attempts to encrypt while traveling to possible locations on the network
• Attempt to encrypt target files within system C drive
• Creation of encryption-related ransom note (README_README.txt)
• Additional charges for recovery costs and threats to leak victims' data if they do not comply

Recommendations for general measures to prepare for infection

• We recommend changing to an operating system that supports the latest updates.
  [Server: Windows Server 2012, 2016, 2019]
  [PC: Windows 10]
• Please keep up to date with operating system security updates.
• Please avoid using the IE browser, which has insufficient patches after security vulnerabilities have occurred.
• Please avoid downloading materials from unknown sources and watching/converting videos over the Internet.

White Defender Related Information

In the case of this ransomware, it appears to be distributed in a mixture of forms with actual files and forms without files, and the fileless form of ransomware is difficult to block with anti-virus programs that perform general signature-based prior detection.

Accordingly, defense should be carried out as much as possible through products specialized in detecting ransomware activities, such as White Defender products, and security rules should be applied, such as maintaining the latest updates on security vulnerabilities, periodic backup of important data, and keeping the system separate.