Analytics Story: Clop Ransomware

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Clop ransomware, including looking for file writes associated with Clope, encrypting network shares, deleting and resizing shadow volume storage, registry key modification, deleting of security logs, and more.

Why it matters

Clop ransomware campaigns targeting healthcare and other vertical sectors, involve the use of ransomware payloads along with exfiltration of data per HHS bulletin. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Clop Common Exec Parameter User Execution TTP
Clop Ransomware Known Service Name Create or Modify System Process TTP
Common Ransomware Extensions Data Destruction Hunting
Common Ransomware Notes Data Destruction Hunting
Deleting Shadow Copies Inhibit System Recovery TTP
High Process Termination Frequency Data Encrypted for Impact Anomaly
Process Deleting Its Process File Path Indicator Removal TTP
Ransomware Notes bulk creation Data Encrypted for Impact Anomaly
Resize ShadowStorage volume Inhibit System Recovery TTP
Suspicious Event Log Service Behavior Indicator Removal, Clear Windows Event Logs Hunting
Suspicious wevtutil Usage Clear Windows Event Logs, Indicator Removal TTP
Windows Event Log Cleared Indicator Removal, Clear Windows Event Logs TTP
Windows High File Deletion Frequency Data Destruction Anomaly
Windows Service Created with Suspicious Service Path System Services, Service Execution TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 23 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 5 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 1100 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 1102 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log System 7045 Windows icon Windows xmlwineventlog XmlWinEventLog:System

References


Source: GitHub | Version: 1