Rewterz Threat Alert – Sodinokibi Ransomware aka REvil Encrypting Files
January 7, 2020Rewterz Threat Alert – APT Group SideWinder
January 8, 2020Severity
High
Analysis Summary
A new version of the Clop ransomware has resulted in a few changes, the most notable being a new list of processes to kill. Prior to this version, evolutions to the ransomware included the addition of terminating processes related to enterprise software (Microsoft Exchange, SQL Server, etc) and disabling Windows Defender. Along with the aforementioned enterprise software, the most recent update to Clop ransomware includes an extensive process termination list that includes Windows 10 apps, popular text editors, debuggers, programming languages, terminal programs, and programming IDE software. The researchers note that the reasoning behind cancelling some of these services is not fully understood since they wouldn’t have associated user-created files to encrypt, but it is possible that the attackers want to ensure configuration files for these applications are encrypted. Related to the process termination, another change is that this functionality is now included in the main executable whereas before it was performed by a separate batch script. The last change is the use of a new extension appended to encrypted files, “.Cl0p,” replacing the previously used extensions “.CIop” (capital “I”) and “.Clop” (lower case “L”).
Impact
File encryption
Indicators of Compromise
MD5
ae5cb860f043caa84bf4e11cec758616
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links.attachments sent by unknown senders.