Detecting Clop ransomware

Searches using the endpoint data model

► Clop common exec parameter

To run this search, your deployment needs to ingest logs with the process name, parent process, and command-line executions from your endpoints. 

This search is designed to identify Clop ransomware variants which use arguments to execute their main code or a feature of their code. In these types of variant, if the parameter is runrun, Clop ransomware tries to encrypt files in network shares. If the parameter used is temp.dat, it tries to read from a stream pipe or file and start encrypting files within the infected local machines. This technique can be also identified as an anti-sandbox technique as Clop makes its code non-responsive while waiting for a parameter to execute properly.

False positives from this search may occur since operators can execute third-party tools using these parameters.

| tstats allow_old_summaries=true values("Processes.process") AS cmdline, values("Processes.parent_process_name") AS parent_process, values("Processes.process_name"), count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE ("Processes.process_name"!="*temp.dat*" ("Processes.process"="*runrun*" OR "Processes.process"="*temp.dat*")) BY "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.dest", "Processes.user", "Processes.process_id", "Processes.process_guid" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

► Shadow copy deletion

 

To run this search, your deployment needs ingest endpoint data that tracks process activity, including parent-child relationships from your endpoints. The command-line arguments are mapped to the "process" field in the Endpoint data model. 

The vssadmin.exe utility is used to interact with the Volume Shadow Copy Service. Wmic is an interface to the Windows Management Instrumentation. This search looks for either of these tools being used to delete shadow copies.

False positives from this search may occur as vssadmin.exe and wmic.exe are standard applications shipped with modern versions of Windows and may be used by administrators to legitimately delete old backup copies, although this is typically rare.

| tstats allow_old_summaries=true count, values("Processes.process") AS process, values("Processes.parent_process") AS parent_process, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE (("Processes.process_name"=vssadmin.exe OR "Processes.process_name"=wmic.exe) "Processes.process"=*delete* "Processes.process"=*shadow*) BY "Processes.user", "Processes.process_name", "Processes.parent_process_name", "Processes.dest" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

► Shadow storage volume resizing

To run this search, your deployment needs to ingest logs with the process name, parent process, and command-line executions from your endpoints.

This search identifies the resizing of shadowstorage by ransomware malware, which is typically done to avoid the shadow volumes being made again. Attackers perform this technique as an alternative to deleting the shadowstorage, which is often a known ransomware alert. Clop ransomware uses this technique, where it drops a .bat file that resizes the shadowstorage to the smallest possible size.

| tstats allow_old_summaries=true values("Processes.process") AS cmdline, values("Processes.parent_process_name") AS parent_process, values("Processes.process_name") AS process_name, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE (("Processes.parent_process_name"="cmd.exe" OR "Processes.parent_process_name"="powershell.exe" OR "Processes.parent_process_name"="powershell_ise.exe" OR "Processes.parent_process_name"="wmic.exe") "Processes.process_name"="vssadmin.exe" "Processes.process"="*resize*" "Processes.process"="*shadowstorage*" "Processes.process"="*/maxsize*") BY "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.dest", "Processes.user", "Processes.process_id", "Processes.process_guid" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

► Suspicious wevtutil usage

To run this search, your deployment needs to ingest data that records process activity from your hosts. You must also be ingesting logs with both the process name and command line from your endpoints. 

The wevtutil.exe application is the windows event log utility. This search looks for wevtutil.exe with parameters for clearing the application, security, setup, or system event logs.

False positives from this search may occur since the wevtutil.exe application is a legitimate Windows event log utility and administrators may use it to manage Windows event logs.

| tstats allow_old_summaries=true values("Processes.process") AS process, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE ("Processes.process_name"=wevtutil.exe "Processes.process"="*cl*" ("Processes.process"="*System*" OR "Processes.process"="*Security*" OR "Processes.process"="*Setup*" OR "Processes.process"="*Application*")) BY "Processes.process_name", "Processes.parent_process_name", "Processes.dest", "Processes.user" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

Additional searches

► Clop known service name

 

To run this search, your deployment needs to ingest logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.

This search is designed to identify the common service name created by Clop ransomware as part of its persistence and high privilege code execution in the infected machine. Usually Clop ransomware uses theStartServiceCtrlDispatcherW API in creating this service entry.

| search (EventCode=7045 eventtype=wineventlog_system (Service_Name="SecurityCenterIBM" OR Service_Name="WinCheckDRVs")) 
| stats count min(_time) AS firstTime max(_time) AS lastTime BY EventCode Service_File_Name Service_Name Service_Start_Type Service_Type 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

► Service creation in suspicious file path

 

To run this search, your deployment needs to ingest logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.

This search is designed to identify a creation of user mode service where the service file path is located in a non-common service folder in windows.

| search (EventCode=7045 eventtype=wineventlog_system (Service_Name="SecurityCenterIBM" OR Service_Name="WinCheckDRVs")) 
| stats count min(_time) AS firstTime max(_time) AS lastTime BY EventCode Service_File_Name Service_Name Service_Start_Type Service_Type 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

► High file deletion frequency

 

To run this search, your deployment needs to ingest logs with the deleted target file name, process name, and process ID from your endpoints.

This search looks for a high frequency of file deletion relative to process name and process ID. These events usually happen when ransomware tries to encrypt files with ransomware file extensions and Sysmon treats the original files to be deleted, as soon they are replaced, as encrypted data.

False positives from this search may occur as legitimate users may delete a lot of pictures or files in a folder at once.

| search (EventCode=23 (source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational) (TargetFilename="*\.7z" OR TargetFilename="*\.bmp" OR TargetFilename="*\.chm" OR TargetFilename="*\.cmd" OR TargetFilename="*\.db" OR TargetFilename="*\.doc*" OR TargetFilename="*\.gif" OR TargetFilename="*\.ini" OR TargetFilename="*\.jpeg" OR TargetFilename="*\.jpg" OR TargetFilename="*\.js" OR TargetFilename="*\.log" OR TargetFilename="*\.png" OR TargetFilename="*\.ppt*" OR TargetFilename="*\.ps1" OR TargetFilename="*\.rar" OR TargetFilename="*\.vbs" OR TargetFilename="*\.xls*" OR TargetFilename="*\.zip"))
| stats values(TargetFilename) AS deleted_files min(_time) AS firstTime max(_time) AS lastTime count BY Computer user EventCode Image ProcessID
| where (count >= 100)
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime)
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

Need more help with this search? Click here.

► High process termination frequency

To run this search, your deployment needs to ingest logs with the image (process full path) of terminated process from your endpoints.

This search looks for a high frequency of process termination on a machine, which is a common behavior of ransomware malware before encrypting files. This technique is designed to avoid an exception error while accessing files in the infected machine for encryption.

False positives from this search may occur as legitimate users may terminate multiple processes at once. 

| search (EventCode=5 (source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational))
| bin _time span=3s
| stats values(Image) AS proc_terminated min(_time) AS firstTime max(_time) AS lastTime count BY Computer EventCode ProcessID
| where (count >= 15)
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime)
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

Need more help with this search? Click here.

► Process deleting its process file path

This search looks for a suspicious process that tries to delete the process file path related to its process, a defense evasion technique. Clop ransomware uses this technique using a .bat command if the keyboard layout is not the layout it tries to infect.

| search (EventCode=1 Image="*\\cmd.exe" cmdline="*/c del*" (source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational)) 
| eval result=if(like(process,(("%" . parent_process) . "%")),"Found","Not Found")
| search result=CASE("Found") 
| stats min(_time) AS firstTime max(_time) AS lastTime count BY Computer user ParentImage ParentCommandLine Image cmdline EventCode ProcessID result 
| where (result == "Found") 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

► Bulk creation of ransomware notes

This search looks for instances where a large number of ransomware notes are files created in the infected machine. These notes often have file extensions of .txt, .html, or .hta.

| search (EventCode=11 (source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational) (file_name="*\.hta" OR file_name="*\.html" OR file_name="*\.txt"))
| stats min(_time) AS firstTime max(_time) AS lastTime dc(TargetFilename) AS unique_readme_path_count values(TargetFilename) AS list_of_readme_path BY Computer Image file_name
| where (unique_readme_path_count >= 50)
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime)
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

Need more help with this search? Click here.

► Windows event log cleared

 

 

To run this search, your deployment needs to ingest Microsoft Windows event logs from your hosts.

This search looks for Windows events that indicate one of the Windows event logs has been purged.

False positives from this search may occur since it is possible that these logs may be legitimately cleared by administrators.

| search ((EventCode=104 eventtype=wineventlog_system) OR (eventtype=wineventlog_security (EventCode=1100 OR EventCode=1102))) 
| stats count min(_time) AS firstTime max(_time) AS lastTime BY EventCode dest 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)