There has been a new variant in the CryptoMix Ransomware family. The new variant which was just discovered displayed a new behavior: a .CIOP or .CLOP extension is appended in the affected files of the victim—which are encrypted and locked with the help of cryptographic algorithms. The operation of the variant has suggested that hackers plan to follow a certain trend: instead of attacking individual PCs, they are targeting whole networks.
When the variant was first noticed, it was clear that it was continuously changing its email addresses. Likewise, the extensions were also modified repeatedly.
Currently, cybersecurity professionals are trying to locate any possible loophole in order to find a key for the ransomware removal procedures. Requests have also been made to victims who paid the ransom in exchange for a decryptor so the tool can be dissected to gain a new insight.
The variant’s sudden entry comes after a considerable period of time has been elapsed since its past infiltrations. This time, its distribution mechanism is focused on the use of executables. Digital signatures have been used to “code-sign” these .exe files. This strategy is employed because it lends credibility to the executables. As a result, many IT and ransomware removal tools are unable to detect it.
According to a cybersecurity analyst, the variant has been designed to bypass the settings of operating systems. This means that it can block multiple processes and services of the Windows operating system. Consequently, the anti-malware tools and solutions are disabled while all the opened files are terminated. Some of the processes which are shut down include MySQL, SQL Server, Microsoft Exchange, and others.
Another of its distinct strategy includes the generation of a batch file. This batch file is titled as “clearnetworkdns_11-22-33.bat”. This file is configured in such a way that it can run as soon as it detects the launch of the ransomware. What this does is that is turn offs the automatic startup repair tool of the Windows operations system. Additionally, it deletes all the shadow volume copies.
Now, the ransomware initiates the encryption process and starts to encrypt the user files. When the encryption is completed, a .clop extension appends to the filename of the affected file. For instance, if you have an image of a product “product.jpg” stored in your PC then this ransomware will turn it into “product.jpg.clop”.
Afterward, a ransom note is generated and added which is titled as “ClopReadMe.txt’. It is the ransom note which has suggested that the attackers have set their eyes on the entire networks. There have also been some musings that the hackers are exploiting Remote Desktop Services for their breaches.
