A new variant of CryptoMix ransomware was discovered being used in the wild by cybercriminals. Like almost every other ransomware, it encrypts the files on a victim machine, and demand payment to decrypt the information, in other words, hijacks the information.
However, this one has a particularity. Firstly, it attempts to disable the Windows Defender, also tries to remove the Microsoft Security Essentials and any other standalone Anti-Ransomware programs.
Another peculiarity is that the .exe that it downloads is signed with a certificate, which makes the work of antivirus programs more complicated.
According to the analysis performed by the security researcher, Vitali Kremez, a small program is being run before the encryption, disabling a variety of security software, including Windows Defender.
It is done to prevent behavioral algorithms from detecting the file encryption and block the ransomware.
To disable Windows Defender, it configures various Registry values that disable behavior monitoring, real-time protection, sample uploading to Microsoft, cloud detections, antispyware detections, and Tamper Protection. Also, Clop ransomware is targeting older computers by uninstalling Microsoft Security Essentials.
The attacks mainly occur via social engineering, sending an email with an Office document attached, containing malicious macro functions. After downloading and opening the document, it downloads a .exe and executes it.
While CryptoMix is a relatively old and known ransomware. This new variant has some particularities which put under evidence that malware (Malicious Software) is becoming more and more sophisticated. In this instance, besides attempting to disable specific programs to commit its objective, it comes with a signed certificate, which may trick security solutions to trust the binary and let it pass. This initial certificate was revoked, but there are always possibilities that another comes with a new certificate.
Ostensibly, if you have Tamper Protection enabled in Windows 10, these settings will just be reset back to their default configuration, and Windows Defender would not be disabled.
Cybersecurity culture in the workplace is the best way to prevent bad things from happening. However, something wrong, something out of our hands, will always happen, but what we certainly can do is having at least one backup in an external device; this will significantly reduce the impact if you get hit by ransom.
Ransomware infections aim to encrypt your files using an encryption algorithm, which may be very difficult to decrypt. However, there are alternatives which can be very helpful to recover your data, remember that paying is not a good idea, and does not warranties that you are getting your files back.
As we have stated in other reports related to ransomware, if you encounter yourself in this situation, we recommend not paying any ransom. You can go to nomoreransom.org and get help from them; they have a list of tools that can help you to recover your data.
Some ransomware is delivered as a link, also in spammed email, others come in exploit kits. Some others are delivered via malvertising (Malicious Advertisement) or on a compromised website. Thus, the importance of having a good cybersecurity culture at work.
It is wise to have a minimum of 1 backup outside the computer (if you have disks in mirror chances are that the mirrored disk gets encrypted too). If you have multiple backups, it's going to be better as if an external device gets broken; you always can have your valuable data, cloud backups are also an efficient way to have your backup.
TTPs: Tactics, techniques and procedures