Clop and the group’s signature malware has struck again — this time hitting a giant target in the form of German software conglomerate Software AG. The company isn’t paying a mammoth $23 million ransom (so far), and over the weekend it confirmed that the crooks were releasing company data, according to reports.
The Clop ransomware cybercriminals were able to infiltrate the company’s systems in early October. The company released a statement on October 5 publicly announcing the attack, adding, “While services to its customers, including its cloud-based services, remain unaffected, as a result, Software AG has shut down the internal systems in a controlled manner in accordance with the company’s internal security regulations,” the statement read.
But that assessment turned out to be prematurely rosy. Just days later, the company had to admit that Clop was, in fact, able to access and download customer data. And on Saturday, it admitted that the data was being released, according to Bloomberg.
“Today, Software AG has obtained first evidence that data was downloaded from Software AG’s servers and employee notebooks,” the company said in its follow-up statement. “There are still no indications for services to the customers, including the cloud-based services, being disrupted.”
The company has shut down internal systems as a security precaution – as of the time of this writing, the effects of the cyberattack are dragging on.
“Ransomware gangs are becoming bolder and more sophisticated, going after larger and more lucrative targets with their criminal attacks,” said Saryu Nayyar, CEO at Gurucul, via email. “This recent attack against Germany’s Software AG is one of the largest ransomware attacks, but it will certainly not be the last. Even with a complete security stack and a mature security operations team, organizations can still be vulnerable. The best we can do is keep our defenses up to date, including behavioral analytics tools that can identify new attack vectors, and educate our users to reduce the attack surface.”
She added, “With little risk of punishment and potentially multi-million dollar payoffs, these attacks will continue until the equation changes.”
“Scale and clout do not make an organization immune from ransomware attacks, and often make them a more vulnerable target,” Dan Piazza, technical product manager for Stealthbits Technologies said, via email. “An organization having deep pockets means attackers will devote vast resources towards compromising them, and more employees and networks means a larger attack surface. This also shows that threat actors are more motivated than ever and feel confident requesting exorbitant sums — likely due to past successes.”
Clop has emerged as a potent ransomware threat. First discovered in Feb. 2019 by the MalwareHunterTeam, the group continues to terrorize companies with a tactic called “double extortion,” meaning it steals the data and if their ransom demands aren’t met, the data is dumped on a criminal website for anyone to access.
Besides, Software AG, Clop recently hit ExecuPharm, a biopharmaceutical company, in April. And after the company refused to pay, the criminals leaked the compromised data. Other ransomware groups engage in similar tactics, including Maze, DoppelPaymer and Sodinokibi.
Just last month, the Maze gang dumped the personal information of students in Las Vegas on a shady underground forum, after the Clark County School District didn’t pay the ransom.
But Clop is distinguishing itself by going after top-flight companies, rather than the small- to midsize school districts and municipalities, which have emerged as the bread and butter of ransomware crooks everywhere.
MalwareHunterTeam shared excerpts from the ransom note sent by Clop to Software AG, which included the warm greeting, “HELLO DEAR SOFTWARE AG.” The ransom note continued more ominously, “If you refuse to cooperate, all data will be published for free download on our portal…”
Inside the Clop Malware
Researchers Alexandre Mundo and Marc Rivero Lopez at McAfee explained how Clop malware works in a recent blog post.
“The Clop ransomware is usually packed to hide its inner workings,” they wrote. “Signing a malicious binary, in this case ransomware, may trick security solutions to trust the binary and let it pass.” They also said the malware is equipped with the ability to terminate itself if it isn’t successfully installed as a service.
Once deployed, it compares the victim’s computer keyboard against hardcoded values.
“The malware checks that the layout is bigger than the value 0x0437 (Georgian), makes some calculations with the Russian language (0x0419) and with the Azerbaijan language (0x082C). This function will return 1 or 0, 1 if it belongs to Russia or another CIS country, or 0 in every other case,” Mundo and Lopez explained.
If it returns 0, the malware functions normally. If not, it fetches the entire screen context. It also determines whether the system uses a Russian character set, and if it does, the malware deletes itself. Otherwise, the malware marches on.
“This double-check circumvents users with a multisystem language, i.e. they have the Russian language installed but not active in the machine to avoid this type of malware,” they added.
Next, Clop’s ransomware creates a new thread and creates a folder entitled “Favorite” in a shared folder with the malware. It will then make a dummy call that the researchers think is intended to produce an error message, and loops for 666,000 times. If the malware discovers antivirus protections, it goes to sleep for five seconds, only to later continue its nefarious operation.
“The next action is to write this batch file in the same folder where the malware stays with the function ‘CreateFileA,'” they said. “The file created has the name ‘clearsystems-11-11.bat’. Later will launch it with ‘ShellExecuteA,’ wait for five seconds to finish, and delete the file with the function ‘DeleteFileA.'”
Clop’s use of .bat files indicates to Mundo and Lopez the authors aren’t very sophisticated programmers.
“All these actions could have been performed in the malware code itself, without the need of an external file that can be detected and removed,” they wrote.
A second version of Clop analyzed by the researchers shows an evolution of the malware, but with the same basic structure and intent.
Companies Wrangle with Clop
As Clop and other ransomware groups appear to be upping the ante on attacks, Piazza advises compromised organizations to be honest and up-front with customers about the security of their data. He points to Software AG’s clean up statement on Oct. 5 as a prime example of what not to do and that overly optimistic prognostications that must be recanted later are poisonous to the customer relationship.
“Customers want to be reassured their data is safe when an organization they do business with is the victim of ransomware, however when statements need to be later walked back it ends up doing more harm to an organization’s reputation than if they hadn’t issued the statement to begin with (at least until the extent of the attack is known),” Piazza advised, “Although statements such as these are typically done with good intentions, they can still have consequences if proven wrong and sensitive data is leaked.”
Software AG has not responded to inquiries.
On October 14 at 2 PM ET Get the latest information on the rising threats to retail e-commerce security and how to stop them. Register today for this FREE Threatpost webinar, “Retail Security: Magecart and the Rise of e-Commerce Threats.” Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this LIVE webinar.