Skip to main content

 

Splunk Lantern

Detecting Clop ransomware

 

Clop ransomware campaigns target healthcare and other vertical sectors, and they involve the use of ransomware payloads along with exfiltration of data. Malicious actors demand payment for ransom of data and threaten deletion and exposure of exfiltrated data.

You are an analyst responsible for your organization's overall security posture. You need to be able to detect and investigate unusual activities that might relate to the Clop ransomware, including looking for file writes associated with Clop, encrypting network shares, deleting and resizing shadow volume storage, registry key modification, deleting of security logs, and more. These searches will help you detect and investigate these infections.

How to use Splunk software for this use case

Searches using the endpoint data model

To run these searches, ensure that you should also ensure you are ingesting normalized endpoint data, populating the Endpoint data model in the Common Information Model (CIM).  For information on installing and using the CIM, see the Common Information Model documentation. In addition, if you are using Sysmon, you must have at least version 6.0.4.

► Clop common exec parameter

To run this search, your deployment needs to ingest logs with the process name, parent process, and command-line executions from your endpoints. 

This search is designed to identify Clop ransomware variants which use arguments to execute their main code or a feature of their code. In these types of variant, if the parameter is runrun, Clop ransomware tries to encrypt files in network shares. If the parameter used is temp.dat, it tries to read from a stream pipe or file and start encrypting files within the infected local machines. This technique can be also identified as an anti-sandbox technique as Clop makes its code non-responsive while waiting for a parameter to execute properly.

False positives from this search may occur since operators can execute third-party tools using these parameters.

| tstats allow_old_summaries=true values("Processes.process") AS cmdline, values("Processes.parent_process_name") AS parent_process, values("Processes.process_name"), count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE ("Processes.process_name"!="*temp.dat*" ("Processes.process"="*runrun*" OR "Processes.process"="*temp.dat*")) BY "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.dest", "Processes.user", "Processes.process_id", "Processes.process_guid" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
► Shadow copy deletion

 

To run this search, your deployment needs ingest endpoint data that tracks process activity, including parent-child relationships from your endpoints. The command-line arguments are mapped to the "process" field in the Endpoint data model. 

The vssadmin.exe utility is used to interact with the Volume Shadow Copy Service. Wmic is an interface to the Windows Management Instrumentation. This search looks for either of these tools being used to delete shadow copies.

False positives from this search may occur as vssadmin.exe and wmic.exe are standard applications shipped with modern versions of Windows and may be used by administrators to legitimately delete old backup copies, although this is typically rare.

| tstats allow_old_summaries=true count, values("Processes.process") AS process, values("Processes.parent_process") AS parent_process, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE (("Processes.process_name"=vssadmin.exe OR "Processes.process_name"=wmic.exe) "Processes.process"=*delete* "Processes.process"=*shadow*) BY "Processes.user", "Processes.process_name", "Processes.parent_process_name", "Processes.dest" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
► Shadow storage volume resizing

To run this search, your deployment needs to ingest logs with the process name, parent process, and command-line executions from your endpoints.

This search identifies the resizing of shadowstorage by ransomware malware, which is typically done to avoid the shadow volumes being made again. Attackers perform this technique as an alternative to deleting the shadowstorage, which is often a known ransomware alert. Clop ransomware uses this technique, where it drops a .bat file that resizes the shadowstorage to the smallest possible size.

| tstats allow_old_summaries=true values("Processes.process") AS cmdline, values("Processes.parent_process_name") AS parent_process, values("Processes.process_name") AS process_name, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE (("Processes.parent_process_name"="cmd.exe" OR "Processes.parent_process_name"="powershell.exe" OR "Processes.parent_process_name"="powershell_ise.exe" OR "Processes.parent_process_name"="wmic.exe") "Processes.process_name"="vssadmin.exe" "Processes.process"="*resize*" "Processes.process"="*shadowstorage*" "Processes.process"="*/maxsize*") BY "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.dest", "Processes.user", "Processes.process_id", "Processes.process_guid" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
► Suspicious wevtutil usage

To run this search, your deployment needs to ingest data that records process activity from your hosts. You must also be ingesting logs with both the process name and command line from your endpoints. 

The wevtutil.exe application is the windows event log utility. This search looks for wevtutil.exe with parameters for clearing the application, security, setup, or system event logs.

False positives from this search may occur since the wevtutil.exe application is a legitimate Windows event log utility and administrators may use it to manage Windows event logs.

| tstats allow_old_summaries=true values("Processes.process") AS process, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE ("Processes.process_name"=wevtutil.exe "Processes.process"="*cl*" ("Processes.process"="*System*" OR "Processes.process"="*Security*" OR "Processes.process"="*Setup*" OR "Processes.process"="*Application*")) BY "Processes.process_name", "Processes.parent_process_name", "Processes.dest", "Processes.user" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

Additional searches

Some commands, parameters, and field names in the searches below might need to be adjusted to match your environment. In addition, to optimize the searches shown below, you should specify an index and a time range when appropriate.

► Clop known service name

 

To run this search, your deployment needs to ingest logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.

This search is designed to identify the common service name created by Clop ransomware as part of its persistence and high privilege code execution in the infected machine. Usually Clop ransomware uses theStartServiceCtrlDispatcherW API in creating this service entry.

| search (EventCode=7045 eventtype=wineventlog_system (Service_Name="SecurityCenterIBM" OR Service_Name="WinCheckDRVs")) 
| stats count min(_time) AS firstTime max(_time) AS lastTime BY EventCode Service_File_Name Service_Name Service_Start_Type Service_Type 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
► Service creation in suspicious file path

 

To run this search, your deployment needs to ingest logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.

This search is designed to identify a creation of user mode service where the service file path is located in a non-common service folder in windows.

| search (EventCode=7045 eventtype=wineventlog_system (Service_Name="SecurityCenterIBM" OR Service_Name="WinCheckDRVs")) 
| stats count min(_time) AS firstTime max(_time) AS lastTime BY EventCode Service_File_Name Service_Name Service_Start_Type Service_Type 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
► High file deletion frequency

 

To run this search, your deployment needs to ingest logs with the deleted target file name, process name, and process ID from your endpoints.

This search looks for a high frequency of file deletion relative to process name and process ID. These events usually happen when ransomware tries to encrypt files with ransomware file extensions and Sysmon treats the original files to be deleted, as soon they are replaced, as encrypted data.

False positives from this search may occur as legitimate users may delete a lot of pictures or files in a folder at once.

| search (EventCode=23 (source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational) (TargetFilename="*\.7z" OR TargetFilename="*\.bmp" OR TargetFilename="*\.chm" OR TargetFilename="*\.cmd" OR TargetFilename="*\.db" OR TargetFilename="*\.doc*" OR TargetFilename="*\.gif" OR TargetFilename="*\.ini" OR TargetFilename="*\.jpeg" OR TargetFilename="*\.jpg" OR TargetFilename="*\.js" OR TargetFilename="*\.log" OR TargetFilename="*\.png" OR TargetFilename="*\.ppt*" OR TargetFilename="*\.ps1" OR TargetFilename="*\.rar" OR TargetFilename="*\.vbs" OR TargetFilename="*\.xls*" OR TargetFilename="*\.zip"))
| stats values(TargetFilename) AS deleted_files min(_time) AS firstTime max(_time) AS lastTime count BY Computer user EventCode Image ProcessID
| where (count >= 100)
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime)
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

Need more help with this search? Click here.

► High process termination frequency

To run this search, your deployment needs to ingest logs with the image (process full path) of terminated process from your endpoints.

This search looks for a high frequency of process termination on a machine, which is a common behavior of ransomware malware before encrypting files. This technique is designed to avoid an exception error while accessing files in the infected machine for encryption.

False positives from this search may occur as legitimate users may terminate multiple processes at once. 

| search (EventCode=5 (source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational))
| bin _time span=3s
| stats values(Image) AS proc_terminated min(_time) AS firstTime max(_time) AS lastTime count BY Computer EventCode ProcessID
| where (count >= 15)
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime)
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

Need more help with this search? Click here.

► Process deleting its process file path

This search looks for a suspicious process that tries to delete the process file path related to its process, a defense evasion technique. Clop ransomware uses this technique using a .bat command if the keyboard layout is not the layout it tries to infect.

| search (EventCode=1 Image="*\\cmd.exe" cmdline="*/c del*" (source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational)) 
| eval result=if(like(process,(("%" . parent_process) . "%")),"Found","Not Found")
| search result=CASE("Found") 
| stats min(_time) AS firstTime max(_time) AS lastTime count BY Computer user ParentImage ParentCommandLine Image cmdline EventCode ProcessID result 
| where (result == "Found") 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
► Bulk creation of ransomware notes

This search looks for instances where a large number of ransomware notes are files created in the infected machine. These notes often have file extensions of .txt, .html, or .hta.

| search (EventCode=11 (source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational) (file_name="*\.hta" OR file_name="*\.html" OR file_name="*\.txt"))
| stats min(_time) AS firstTime max(_time) AS lastTime dc(TargetFilename) AS unique_readme_path_count values(TargetFilename) AS list_of_readme_path BY Computer Image file_name
| where (unique_readme_path_count >= 50)
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime)
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

Need more help with this search? Click here.

► Windows event log cleared

 

 

To run this search, your deployment needs to ingest Windows event logs from your hosts.

This search looks for Windows events that indicate one of the Windows event logs has been purged.

False positives from this search may occur since it is possible that these logs may be legitimately cleared by administrators.

| search ((EventCode=104 eventtype=wineventlog_system) OR (eventtype=wineventlog_security (EventCode=1100 OR EventCode=1102))) 
| stats count min(_time) AS firstTime max(_time) AS lastTime BY EventCode dest 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

Next steps

The content in this article comes from Splunk Enterprise Security (ES). As a Splunk premium security solution, ES solves a wide range of security analytics and operations use cases including continuous security monitoring, advanced threat detection, compliance, incident investigation, forensics and incident response. Splunk ES delivers an end-to-end view of an organization's security posture with flexible investigations, unmatched performance, and the most flexible deployment options offered in the cloud, on-premises, or hybrid deployment models. If you have questions about this use case, see the Security Research team's support options on GitHub.

In addition, these Splunk resources might help you understand and implement this use case:Use case: Detecting ransomware attacks

Still need help with this use case? Most customers have OnDemand Services per their license support plan. Engage the ODS team at OnDemand-Inquires@splunk.com if you require assistance.