Cl0p Ransomware Attack Demo

0:00 welcome to the Juniper threat Labs

0:02 attack demo series today's subject is

0:04 clop ransomware following a brief

0:07 description of klop ransomware and the

0:09 Gang behind it this video will

0:10 demonstrate how malicious threat actors

0:12 conduct a clock ransomware attack

0:14 afterward we'll show you how Juniper

0:16 customers can protect themselves Club

0:18 ransomware comes from a Russian speaking

0:20 threat actor group that bears the same

0:22 name first identified in 2019 these

0:25 malicious threat actors have their

0:27 ransomware sights set on large companies

0:29 in North America Latin America Europe

0:31 and Asia as of July 2023 the club

0:34 ransomware Gang has been linked to

0:36 attacks on over 400 organizations

0:39 including U.S banks Healthcare

0:41 organizations and universities in fact

0:44 the US government recently offered a 10

0:46 million Bounty for information leading

0:48 to the arrest and conviction of the

0:50 cooperansomware gang in May 2023 the

0:53 klop ransomware gang began exploiting a

0:55 vulnerability and progress software's

0:56 managed file transfer solution move it

0:58 transfer this phone ability cve

1:02 2023-34362 is an SQL injection

1:05 vulnerability that can be exploited to

1:06 execute arbitrary code on the target

1:08 server exploding this vulnerability the

1:11 klopp ransomware Gang has been gaining

1:13 access to Internet facing move it manage

1:15 file transfer web applications after

1:18 gaining access attackers plan a web

1:20 shell on the target server the web shell

1:22 is a malicious web app hosted by the

1:24 victim to which the attacker connects in

1:27 order to remotely control that Target

1:28 server the copper and summer gang then

1:31 uses the web shell to steal data from

1:32 the target server and subsequently

1:34 deploy the clock ransomware making their

1:36 system unusable without a ransom the

1:39 clock ransomware gang is as

1:40 sophisticated and well-funded group of

1:42 attackers they are constantly evolving

1:44 their attack methods Club ransomware

1:46 employs an arsenal of diverse malware

1:48 tools including the flawed Amy rat

1:51 truebot estibot Cobalt strike and web

1:54 shells as we mentioned earlier the

1:56 group's operational history traces back

1:58 to 2019 the clock gang which is either

2:00 related to or includes two other cyber

2:03 criminal gangs ta-505 and fin 11

2:05 typically victimizes their targets

2:07 through extensive spear phishing

2:09 campaigns as their primary attack vector

2:11 and then attacking known or unknown

2:13 software vulnerabilities during 2020 and

2:16 2021 they shifted their focus to

2:17 exploiting excelling FTA servers and

2:20 deploying the do Mode web shell and

2:21 January 2023 the group was observed

2:24 explaining go anywhere mft and enabling

2:26 remote code execution most recently

2:29 they've been targeting movement manage

2:31 file transfer sites as we mentioned

2:32 earlier and installing the lamural loot

2:34 web shell

2:35 for the purpose of this demonstration

2:37 we're diving into the post-exploitation

2:39 phase we're therefore already assuming

2:41 the presence of an already established

2:43 web shell on the victim that is remotely

2:45 accessible to the malicious threat actor

2:47 with the web shell in place and acting

2:49 as the attacker we will utilize the web

2:52 shell to initiate the downloaded

2:53 installation of clock ransomware which

2:56 will encrypt all the files on the

2:57 infected system alright let's get

3:00 started

3:01 here we have a Kali Linux machine that

3:03 belongs to the attacker and from here we

3:05 will further assume that this attacker

3:07 can access the target victim server at

3:09 IP address 192 168 206.145 where the

3:14 malicious web shell has already been

3:15 successfully installed following

3:17 exploitation acting as the attacker

3:19 we're connecting to this web Shell

3:21 through the browser to the victim whose

3:23 IP address ends in 145. as you will see

3:25 once connected we will execute a

3:27 Powershell command to download and

3:29 install clock ransomware file clop.exe

3:31 now once installed encrypts the victim's

3:33 files

3:34 okay the attacker on the Kali Linux PC

3:37 is now connected to the webshell

3:39 installed on the victims PC to provide a

3:42 clearer visual representation of what is

3:43 happening under the cover so to speak

3:45 we're running Wireshark on the victim's

3:47 Windows PC

3:49 to this point the attacker at the IP

3:51 address ending in 140 has requested and

3:53 received the web shell as you saw on the

3:55 browser moments ago back on the

3:57 attacker's PC we are hosting the

3:59 malicious ransomware file clop.exe we'll

4:02 start a web server on the attacker such

4:03 that we can direct the victim through

4:05 the web shell to download and install

4:06 klop.exe

4:09 [Music]

4:14 the attacker having confirmed that the

4:16 web server is running and that the cop

4:17 ransomware is readily available returns

4:19 to the web shell the malicious threat

4:21 actor then uses a Powershell command

4:23 that directs the victim PC to retrieve

4:25 and install the clock ransomware

4:28 foreign

4:33 as you can see the victim's machine at

4:36 192 168 206.145 was manipulated Through

4:40 The webshell Connection by the attacker

4:42 to register a get request for klopp.exe

4:45 inspecting Wireshark logs on the target

4:47 victims PC we see that the malicious

4:49 file clop.exe has been successfully

4:52 downloaded using the process monitor we

4:54 can verify that the ransomware was not

4:56 just downloaded but executed as well

4:59 [Music]

5:03 stage klopp is utilizing a significant

5:06 amount of CPU as it is busy encrypting

5:08 files

5:10 we can verify that many of the files are

5:13 already encrypted as the ransomware

5:14 ads.clop extension to each encrypted

5:17 file

5:18 [Music]

5:28 [Music]

5:30 we can open such files verifying that

5:33 the contents are unreadable

5:36 unencrypted in its normal form this

5:38 Javascript file would contain human

5:40 readable text

5:42 for each folder clap also adds a ransom

5:45 note clock readme.txt details about

5:48 contacting the attackers to obtain the

5:50 keys and how the victim restores his her

5:52 or their files are provided in these

5:54 readme files

5:57 [Music]

6:06 let's now look and see whether or not

6:08 this attack Works successfully with a

6:10 juniper SRX firewall enhanced with

6:13 protection from Juniper's cloud-based

6:14 Advanced anti-malware solution Juniper

6:17 ATP for this part of the demo Juniper

6:19 threat Labs is using the following setup

6:21 we have a vsrx pictured in the center

6:23 the vsrx is a virtual SRX firewall

6:26 providing network security protection

6:28 its purpose is to inspect Network

6:30 traffic and with the assistance of

6:32 juniper ATP Cloud to detect malware like

6:35 clock ransomware in addition to the

6:37 virtual firewall and the cloud-based

6:39 protections we are using Juniper

6:40 security director which is a centralized

6:42 management system security director

6:45 facilitates our configuring and

6:46 monitoring of the vsrx firewall and we

6:49 are using Juniper's policy enforcer as

6:51 well Juniper's policy enforcer enforces

6:54 security policies on endpoints and

6:56 ensures they comply with corporate

6:57 security standards pictured as well are

6:59 several Windows workstations Each of

7:01 which is connected to the vsrx and

7:04 finally there is an Ubuntu Server which

7:06 is acting as the malware download server

7:08 before we proceed and run the clock

7:10 ransomware attack simulation when

7:12 protection provided by Juniper's

7:14 connected Security Solutions let's first

7:16 take a look at the threat prevention

7:17 policy that we've set up on our security

7:19 director and applied to the vsrx to

7:22 access the policy we'll navigate to the

7:24 configure Tab and will select thread

7:26 prevention and policies as you can see

7:29 we already have an existing policy in

7:31 place let's further inspect the

7:33 protections being enforced by the

7:34 applied policy so for the demo our

7:36 policy is configured to block command

7:38 and control traffic at Threat Level 7

7:40 and above and we've also set it to block

7:42 infected hosts

7:43 after at level 8 and above additionally

7:46 we've configured our policy to use ATP

7:48 Cloud for malware detection as you can

7:50 see we've elected to scan HTTP downloads

7:53 finally we've chosen to block any and

7:55 all threats rated a level seven and

7:57 above this threat prevention policy

7:59 applied to the Juniper vsrx firewall is

8:02 a critical component of our defenses

8:04 protecting our systems against malware

8:06 related attacks including malicious clop

8:08 ransomware it allows us to detect and

8:10 block malicious traffic as well as the

8:12 activity of potentially infected hosts

8:14 which will then prevent the spread of

8:16 malware across our Network in the event

8:18 that one of our systems gets compromised

8:20 acting as would-be malicious threat

8:22 actors for the demo let's now proceed in

8:24 launching the attack with juniper

8:26 connected Security Solutions in place

8:28 so to begin we connect to the already

8:30 installed web shell running on the

8:32 target victim server at

8:35 100.123.32.3 next We Run The Powershell

8:38 command in the web shell that attempts

8:40 to download the clock ransomware before

8:42 launching it on the victim server

8:50 looking at Wireshark on the intended

8:52 victims machine we see the post request

8:54 from the attacker when he entered the

8:56 Powershell command into the webshell but

8:58 that is all we see we see no reply from

9:00 our would-be victim at least no reply

9:03 just yet

9:04 so anyhow after a short period of time

9:06 following the attempted attack it

9:08 displays an error which reads unable to

9:10 connect to the remote server in this

9:12 case the quote-unquote remote server is

9:14 the malware server malware.vault101.com

9:21 looking again at Wireshark on the

9:24 would-be victims machine we finally do

9:26 see the same error

9:32 [Music]

9:34 so what happened what happened was that

9:37 the Juniper vsrx with ATP was able to

9:40 detect and block the attempted download

9:42 of the klop ransomware we can go back to

9:44 our security director to find more

9:45 details about this blocked clop

9:47 ransomware Attack under the HTTP

9:49 download tab we can see information

9:51 about the detected malware including the

9:54 Threat Level hash and URL associated

9:57 with the malware

10:01 [Music]

10:06 switching from security director to ATP

10:08 Cloud we can click on the file signature

10:10 or hash to see more details these

10:12 details include a static analysis of the

10:14 malware that show you different types of

10:16 information collected by analyzing the

10:17 static properties of the file when it's

10:19 not being run

10:25 Juniper additionally provides Behavior

10:27 Analysis which includes information

10:28 collected as a result of running the

10:30 malware in a sandbox

10:46 we can see network activity and behavior

10:48 details including processes that would

10:51 have been spawned as well as information

10:52 about this malicious threat related to

10:54 the miter attack framework

10:57 it is important to note that Juniper ATP

11:00 identifies whether a file is a threat or

11:02 not using machine learning as well as

11:04 the information just discussed thus

11:06 without the need for any signatures

11:09 [Music]

11:13 now we switch back to security director

11:15 note that while the attack was

11:17 unsuccessful recall that the security

11:19 policy being enforced on the vsrx locks

11:22 host network activity when it detects

11:23 threats at level 8 and above this host

11:26 then is now disconnected temporarily

11:27 from the network

11:29 security director is informing the admin

11:31 that this host or server appears to have

11:33 attempted to download malware I.E and

11:36 Clopper in somewhere which has a threat

11:38 level of 10.

11:39 [Music]

11:44 we can confirm that this host is

11:46 temporarily blocked from Network usage

11:48 by attempting to browse the internet

11:49 you'll see that the user cannot do much

11:51 at least right now thus if there was

11:54 more going on than the isolated

11:56 unsuccessful attack

11:57 the rest of the network would be

11:59 protected

12:01 [Music]

12:05 once the admin is sure that the host or

12:07 server is indeed free from infection she

12:09 can first select the host and then under

12:11 the investigation status section she can

12:14 select resolved fixed which changes the

12:16 status of this host to clean

12:22 [Music]

12:25 after a few moments this host will be

12:27 able to resume Network usage we can

12:30 verify that once again just by browsing

12:32 the net

12:34 [Music]

12:52 that completes our demo of clock

12:53 ransomware check out more videos from

12:55 the Juniper threat Labs attack demo

12:57 series by visiting juniper.net thanks

12:59 for watching