Cl0p Ransomware Attack Demo

Juniper Threat Labs Security
Graphic image reading “Juniper Threat Labs”

What it takes to stop Cl0p ransomware attacks cold.

Cl0p is a particularly aggressive ransomware attack method—unless you take action to protect your organization. Watch along for key information about Cl0p from the experts at Juniper Threat Labs, and learn how to stop it from penetrating your network using Juniper Networks’ Connected Security solutions.

Show more

You’ll learn

  • Who is behind Cl0p ransomware attacks

  • How a Cl0p ransomware attack is conducted

  • Steps you can take to protect your network

Who is this for?

Security Professionals Network Professionals

Transcript

0:00 welcome to the Juniper threat Labs

0:02 attack demo series today's subject is

0:04 clop ransomware following a brief

0:07 description of klop ransomware and the

0:09 Gang behind it this video will

0:10 demonstrate how malicious threat actors

0:12 conduct a clock ransomware attack

0:14 afterward we'll show you how Juniper

0:16 customers can protect themselves Club

0:18 ransomware comes from a Russian speaking

0:20 threat actor group that bears the same

0:22 name first identified in 2019 these

0:25 malicious threat actors have their

0:27 ransomware sights set on large companies

0:29 in North America Latin America Europe

0:31 and Asia as of July 2023 the club

0:34 ransomware Gang has been linked to

0:36 attacks on over 400 organizations

0:39 including U.S banks Healthcare

0:41 organizations and universities in fact

0:44 the US government recently offered a 10

0:46 million Bounty for information leading

0:48 to the arrest and conviction of the

0:50 cooperansomware gang in May 2023 the

0:53 klop ransomware gang began exploiting a

0:55 vulnerability and progress software's

0:56 managed file transfer solution move it

0:58 transfer this phone ability cve

1:02 2023-34362 is an SQL injection

1:05 vulnerability that can be exploited to

1:06 execute arbitrary code on the target

1:08 server exploding this vulnerability the

1:11 klopp ransomware Gang has been gaining

1:13 access to Internet facing move it manage

1:15 file transfer web applications after

1:18 gaining access attackers plan a web

1:20 shell on the target server the web shell

1:22 is a malicious web app hosted by the

1:24 victim to which the attacker connects in

1:27 order to remotely control that Target

1:28 server the copper and summer gang then

1:31 uses the web shell to steal data from

1:32 the target server and subsequently

1:34 deploy the clock ransomware making their

1:36 system unusable without a ransom the

1:39 clock ransomware gang is as

1:40 sophisticated and well-funded group of

1:42 attackers they are constantly evolving

1:44 their attack methods Club ransomware

1:46 employs an arsenal of diverse malware

1:48 tools including the flawed Amy rat

1:51 truebot estibot Cobalt strike and web

1:54 shells as we mentioned earlier the

1:56 group's operational history traces back

1:58 to 2019 the clock gang which is either

2:00 related to or includes two other cyber

2:03 criminal gangs ta-505 and fin 11

2:05 typically victimizes their targets

2:07 through extensive spear phishing

2:09 campaigns as their primary attack vector

2:11 and then attacking known or unknown

2:13 software vulnerabilities during 2020 and

2:16 2021 they shifted their focus to

2:17 exploiting excelling FTA servers and

2:20 deploying the do Mode web shell and

2:21 January 2023 the group was observed

2:24 explaining go anywhere mft and enabling

2:26 remote code execution most recently

2:29 they've been targeting movement manage

2:31 file transfer sites as we mentioned

2:32 earlier and installing the lamural loot

2:34 web shell

2:35 for the purpose of this demonstration

2:37 we're diving into the post-exploitation

2:39 phase we're therefore already assuming

2:41 the presence of an already established

2:43 web shell on the victim that is remotely

2:45 accessible to the malicious threat actor

2:47 with the web shell in place and acting

2:49 as the attacker we will utilize the web

2:52 shell to initiate the downloaded

2:53 installation of clock ransomware which

2:56 will encrypt all the files on the

2:57 infected system alright let's get

3:00 started

3:01 here we have a Kali Linux machine that

3:03 belongs to the attacker and from here we

3:05 will further assume that this attacker

3:07 can access the target victim server at

3:09 IP address 192 168 206.145 where the

3:14 malicious web shell has already been

3:15 successfully installed following

3:17 exploitation acting as the attacker

3:19 we're connecting to this web Shell

3:21 through the browser to the victim whose

3:23 IP address ends in 145. as you will see

3:25 once connected we will execute a

3:27 Powershell command to download and

3:29 install clock ransomware file clop.exe

3:31 now once installed encrypts the victim's

3:33 files

3:34 okay the attacker on the Kali Linux PC

3:37 is now connected to the webshell

3:39 installed on the victims PC to provide a

3:42 clearer visual representation of what is

3:43 happening under the cover so to speak

3:45 we're running Wireshark on the victim's

3:47 Windows PC

3:49 to this point the attacker at the IP

3:51 address ending in 140 has requested and

3:53 received the web shell as you saw on the

3:55 browser moments ago back on the

3:57 attacker's PC we are hosting the

3:59 malicious ransomware file clop.exe we'll

4:02 start a web server on the attacker such

4:03 that we can direct the victim through

4:05 the web shell to download and install

4:06 klop.exe

4:09 [Music]

4:14 the attacker having confirmed that the

4:16 web server is running and that the cop

4:17 ransomware is readily available returns

4:19 to the web shell the malicious threat

4:21 actor then uses a Powershell command

4:23 that directs the victim PC to retrieve

4:25 and install the clock ransomware

4:28 foreign

4:33 as you can see the victim's machine at

4:36 192 168 206.145 was manipulated Through

4:40 The webshell Connection by the attacker

4:42 to register a get request for klopp.exe

4:45 inspecting Wireshark logs on the target

4:47 victims PC we see that the malicious

4:49 file clop.exe has been successfully

4:52 downloaded using the process monitor we

4:54 can verify that the ransomware was not

4:56 just downloaded but executed as well

4:59 [Music]

5:03 stage klopp is utilizing a significant

5:06 amount of CPU as it is busy encrypting

5:08 files

5:10 we can verify that many of the files are

5:13 already encrypted as the ransomware

5:14 ads.clop extension to each encrypted

5:17 file

5:18 [Music]

5:28 [Music]

5:30 we can open such files verifying that

5:33 the contents are unreadable

5:36 unencrypted in its normal form this

5:38 Javascript file would contain human

5:40 readable text

5:42 for each folder clap also adds a ransom

5:45 note clock readme.txt details about

5:48 contacting the attackers to obtain the

5:50 keys and how the victim restores his her

5:52 or their files are provided in these

5:54 readme files

5:57 [Music]

6:06 let's now look and see whether or not

6:08 this attack Works successfully with a

6:10 juniper SRX firewall enhanced with

6:13 protection from Juniper's cloud-based

6:14 Advanced anti-malware solution Juniper

6:17 ATP for this part of the demo Juniper

6:19 threat Labs is using the following setup

6:21 we have a vsrx pictured in the center

6:23 the vsrx is a virtual SRX firewall

6:26 providing network security protection

6:28 its purpose is to inspect Network

6:30 traffic and with the assistance of

6:32 juniper ATP Cloud to detect malware like

6:35 clock ransomware in addition to the

6:37 virtual firewall and the cloud-based

6:39 protections we are using Juniper

6:40 security director which is a centralized

6:42 management system security director

6:45 facilitates our configuring and

6:46 monitoring of the vsrx firewall and we

6:49 are using Juniper's policy enforcer as

6:51 well Juniper's policy enforcer enforces

6:54 security policies on endpoints and

6:56 ensures they comply with corporate

6:57 security standards pictured as well are

6:59 several Windows workstations Each of

7:01 which is connected to the vsrx and

7:04 finally there is an Ubuntu Server which

7:06 is acting as the malware download server

7:08 before we proceed and run the clock

7:10 ransomware attack simulation when

7:12 protection provided by Juniper's

7:14 connected Security Solutions let's first

7:16 take a look at the threat prevention

7:17 policy that we've set up on our security

7:19 director and applied to the vsrx to

7:22 access the policy we'll navigate to the

7:24 configure Tab and will select thread

7:26 prevention and policies as you can see

7:29 we already have an existing policy in

7:31 place let's further inspect the

7:33 protections being enforced by the

7:34 applied policy so for the demo our

7:36 policy is configured to block command

7:38 and control traffic at Threat Level 7

7:40 and above and we've also set it to block

7:42 infected hosts

7:43 after at level 8 and above additionally

7:46 we've configured our policy to use ATP

7:48 Cloud for malware detection as you can

7:50 see we've elected to scan HTTP downloads

7:53 finally we've chosen to block any and

7:55 all threats rated a level seven and

7:57 above this threat prevention policy

7:59 applied to the Juniper vsrx firewall is

8:02 a critical component of our defenses

8:04 protecting our systems against malware

8:06 related attacks including malicious clop

8:08 ransomware it allows us to detect and

8:10 block malicious traffic as well as the

8:12 activity of potentially infected hosts

8:14 which will then prevent the spread of

8:16 malware across our Network in the event

8:18 that one of our systems gets compromised

8:20 acting as would-be malicious threat

8:22 actors for the demo let's now proceed in

8:24 launching the attack with juniper

8:26 connected Security Solutions in place

8:28 so to begin we connect to the already

8:30 installed web shell running on the

8:32 target victim server at

8:35 100.123.32.3 next We Run The Powershell

8:38 command in the web shell that attempts

8:40 to download the clock ransomware before

8:42 launching it on the victim server

8:50 looking at Wireshark on the intended

8:52 victims machine we see the post request

8:54 from the attacker when he entered the

8:56 Powershell command into the webshell but

8:58 that is all we see we see no reply from

9:00 our would-be victim at least no reply

9:03 just yet

9:04 so anyhow after a short period of time

9:06 following the attempted attack it

9:08 displays an error which reads unable to

9:10 connect to the remote server in this

9:12 case the quote-unquote remote server is

9:14 the malware server malware.vault101.com

9:21 looking again at Wireshark on the

9:24 would-be victims machine we finally do

9:26 see the same error

9:32 [Music]

9:34 so what happened what happened was that

9:37 the Juniper vsrx with ATP was able to

9:40 detect and block the attempted download

9:42 of the klop ransomware we can go back to

9:44 our security director to find more

9:45 details about this blocked clop

9:47 ransomware Attack under the HTTP

9:49 download tab we can see information

9:51 about the detected malware including the

9:54 Threat Level hash and URL associated

9:57 with the malware

10:01 [Music]

10:06 switching from security director to ATP

10:08 Cloud we can click on the file signature

10:10 or hash to see more details these

10:12 details include a static analysis of the

10:14 malware that show you different types of

10:16 information collected by analyzing the

10:17 static properties of the file when it's

10:19 not being run

10:25 Juniper additionally provides Behavior

10:27 Analysis which includes information

10:28 collected as a result of running the

10:30 malware in a sandbox

10:46 we can see network activity and behavior

10:48 details including processes that would

10:51 have been spawned as well as information

10:52 about this malicious threat related to

10:54 the miter attack framework

10:57 it is important to note that Juniper ATP

11:00 identifies whether a file is a threat or

11:02 not using machine learning as well as

11:04 the information just discussed thus

11:06 without the need for any signatures

11:09 [Music]

11:13 now we switch back to security director

11:15 note that while the attack was

11:17 unsuccessful recall that the security

11:19 policy being enforced on the vsrx locks

11:22 host network activity when it detects

11:23 threats at level 8 and above this host

11:26 then is now disconnected temporarily

11:27 from the network

11:29 security director is informing the admin

11:31 that this host or server appears to have

11:33 attempted to download malware I.E and

11:36 Clopper in somewhere which has a threat

11:38 level of 10.

11:39 [Music]

11:44 we can confirm that this host is

11:46 temporarily blocked from Network usage

11:48 by attempting to browse the internet

11:49 you'll see that the user cannot do much

11:51 at least right now thus if there was

11:54 more going on than the isolated

11:56 unsuccessful attack

11:57 the rest of the network would be

11:59 protected

12:01 [Music]

12:05 once the admin is sure that the host or

12:07 server is indeed free from infection she

12:09 can first select the host and then under

12:11 the investigation status section she can

12:14 select resolved fixed which changes the

12:16 status of this host to clean

12:22 [Music]

12:25 after a few moments this host will be

12:27 able to resume Network usage we can

12:30 verify that once again just by browsing

12:32 the net

12:34 [Music]

12:52 that completes our demo of clock

12:53 ransomware check out more videos from

12:55 the Juniper threat Labs attack demo

12:57 series by visiting juniper.net thanks

12:59 for watching

Show more