Delaware, USA – January 6, 2020 – Clop ransomware was first discovered last February and this ‘spin-off’ of the CryptoMix ransomware was originally designed to attack individuals. Just a month later, the attackers turned Clop into a tool for attacks on corporate systems: before encrypting files, the malware started to terminate a number of services commonly used in large organizations, and the ransom note also changed suggesting the victims to decrypt the whole network, not the system. In November, ransomware gained new features to disable Windows Defender, and adversaries began to actively use it in attacks against European organizations. Researchers attribute such rapid changes to the fact that this strain is actively used by the notorious TA505 group, who is also behind the Dridex banking trojan and Globeimposter ransomware. Vitali Kremez analyzed the latest version of Clop ransomware that came into view on New Year’s Eve and found that the attackers had once again updated the malware, and now it can terminate up to 633 processes including text editors, terminal software and new Windows apps. Also, the updated version now stops processes without the use of an additional Windows batch file.
The full list can be found here: https://raw.githubusercontent.com/k-vitali/
Without stopping ransomware attacks in Europe, the TA505 group updates other tools in its arsenal including the ServHelper backdoor. The new version is used primarily in attacks targeting organizations in the United States and Canada. In addition to ServHelper, TA505 also uses the Predator The Thief version 3.3.1 and the TeamViewer hijacking tool in these attacks. You can learn more about the group and its tools in the MITRE ATT&CK section on Threat Detection Marketplace: https://tdm.socprime.com/att-ck/
Teamviewer Suspicious Activity (DLL Hijacking, Network) – https://tdm.socprime.com/tdm/info/MKsAyTZHOObs/