AMP AMP

CryptoMix Clop Ransomware Variant Targets Not Individual Machines But Whole Networks

Last week, researchers from MalwareHunterTeam detected a new variant of the Cryptomix ransomware that appends the encrypted files with .clop or .ciop extension. The alarming factor about this discovery is that the ransomware targets entire networks than the individual computers, something that is usual to such ransomware.

This new variant attacks the network via executables that have been code-signed with a digital signature. This adds legitimacy to the executables. Researchers speculate that this variant may first halt the Windows services and processes such as Microsoft Exchange, Microsoft SQL Server, MySQL, and others, in order to disable antivirus software and it closes all the files so that they are ready for encryption.

If reports from BleepingComputer is to be believed, then be wary of a batch file named ‘clearnetworkdns_11-22-33.bat’ which will be created by the ransomware as soon as it is launched.

“This batch file will disable Windows's automatic startup repair, remove shadow volume copies, and then resize them in order to clear orphaned shadow volume copies,” BleepingComputer reported. Also, this ransomware leaves behind a ransom note called ‘CIopReadMe.txt’. “All files on each host in the networks have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F-8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. No DECRYPTION software is AVAILABLE in the public,” the ransom note read.